CVE-2026-27117 Overview
CVE-2026-27117 is a path traversal vulnerability, commonly known as "Zip Slip," affecting bit7z, a cross-platform C++ static library used for compression and extraction of archive files. The library does not adequately validate file paths contained in archive entries, allowing files to be written outside the intended extraction directory through three distinct attack mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal.
An attacker can exploit this vulnerability by providing a malicious archive to any application that uses bit7z to extract untrusted archives. Successful exploitation results in arbitrary file write with the privileges of the process performing the extraction, potentially leading to overwriting of application binaries, configuration files, or other sensitive data.
Critical Impact
Arbitrary file write vulnerability allowing attackers to overwrite critical system files, application binaries, or configuration data through malicious archive extraction.
Affected Products
- rikyoz bit7z versions prior to 4.0.11
Discovery Timeline
- 2026-02-24 - CVE CVE-2026-27117 published to NVD
- 2026-02-25 - Last updated in NVD database
Technical Details for CVE-2026-27117
Vulnerability Analysis
This path traversal vulnerability exists in bit7z's archive extraction functionality, specifically in how the library handles file paths extracted from archive entries. The vulnerability enables three distinct traversal mechanisms that bypass the intended extraction directory constraints:
Relative Path Traversal: Archive entries containing sequences like ../ can escape the intended extraction directory by traversing up the directory tree.
Absolute Path Traversal: Archive entries with absolute paths (e.g., /etc/passwd on Unix or C:\Windows\System32\config on Windows) can write files to arbitrary locations on the filesystem.
Symbolic Link Traversal: Malicious archives can contain symbolic links that point to locations outside the extraction directory, which subsequent file writes can then exploit.
The vulnerability does not directly enable reading of file contents; however, applications that subsequently serve or display extracted files may face secondary confidentiality risks from attacker-created symlinks.
Root Cause
The root cause lies in insufficient validation and sanitization of file paths during the extraction process. Prior to version 4.0.11, the fileextractcallback.cpp component and related filesystem utilities (fsutil.cpp) did not apply proper path sanitization when extracting files and restoring symbolic links. The library trusted path information from archive entries without verifying that the resolved destination remained within the intended extraction boundary.
Attack Vector
An attacker exploits this vulnerability by crafting a malicious archive file containing entries with specially constructed paths. The attack requires no privileges and can be executed remotely by convincing a user or application to extract the malicious archive. The exploitation process involves:
- Creating an archive with entries containing path traversal sequences (e.g., ../../../../../../etc/cron.d/malicious)
- Distributing the malicious archive to a target application using bit7z
- When the application extracts the archive, files are written outside the intended directory
- The attacker achieves arbitrary file write with the privileges of the extracting process
// Security patch excerpt from fileextractcallback.cpp
// Before: Attributes set without path validation for symlinks
// filesystem::fsutil::set_file_attributes( mFilePathOnDisk, mCurrentItem.attributes() );
// After: Path sanitization applied through mOutPathBuilder
filesystem::fsutil::set_file_attributes( mOutPathBuilder, mFilePathOnDisk, mCurrentItem.attributes() );
Source: GitHub Commit 31763da
Detection Methods for CVE-2026-27117
Indicators of Compromise
- Files appearing in unexpected system directories following archive extraction operations
- Symbolic links created in extraction directories pointing to sensitive system paths
- Modification timestamps on critical system files coinciding with archive extraction events
- Application log entries showing file paths with ../ sequences during extraction
Detection Strategies
- Monitor file system activity during archive extraction for writes outside expected directories
- Implement application-level logging that captures full destination paths during extraction operations
- Use file integrity monitoring (FIM) on critical directories to detect unauthorized modifications
- Audit applications using bit7z versions prior to 4.0.11 across your environment
Monitoring Recommendations
- Enable detailed logging on archive extraction operations in applications using bit7z
- Configure endpoint detection to alert on directory traversal patterns in file paths
- Monitor for creation of symbolic links in temporary or extraction directories
- Review application behavior for unexpected file writes following archive processing
How to Mitigate CVE-2026-27117
Immediate Actions Required
- Upgrade bit7z to version 4.0.11 or later immediately
- Audit all applications using bit7z and prioritize those handling untrusted archives
- Run extraction operations with least privilege principles applied
- Extract untrusted archives in sandboxed or isolated directories
Patch Information
The vulnerability has been fixed in bit7z version 4.0.11. The security patches address path sanitization in both the file extraction callback mechanism and the filesystem utilities. Two primary commits implement the fix:
- GitHub Commit 31763da - Applies path sanitization when restoring symbolic links
- GitHub Commit 9e02048 - Fixes and improves extraction path sanitization
The official release is available at GitHub Release v4.0.11. For complete details, refer to the GitHub Security Advisory GHSA-qvjh-hhw4-3gx9.
Workarounds
- Validate each entry's destination path before writing to ensure it remains within the intended extraction directory
- Run extraction processes with least privilege using dedicated service accounts
- Extract untrusted archives in a sandboxed directory with restricted permissions
- Implement application-level path canonicalization before file writes
# Example: Create isolated extraction environment with restricted permissions
mkdir -p /var/sandbox/extraction
chmod 700 /var/sandbox/extraction
chown extraction-svc:extraction-svc /var/sandbox/extraction
# Mount with noexec and nosuid for additional protection
mount --bind /var/sandbox/extraction /var/sandbox/extraction
mount -o remount,noexec,nosuid /var/sandbox/extraction
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
