CVE-2026-43616 Overview
CVE-2026-43616 is a path traversal vulnerability (CWE-23) in Detect-It-Easy versions prior to 3.21. Detect-It-Easy (DIE) is a widely used file type identification tool for malware analysis and reverse engineering. The flaw allows attackers to write arbitrary files to the filesystem by crafting malicious archive entries containing relative traversal sequences or absolute paths. Insufficient path normalization during archive extraction lets files land outside the intended extraction directory. Attackers can achieve persistent code execution by overwriting user startup scripts.
Critical Impact
A malicious archive opened in a vulnerable version of Detect-It-Easy can write files anywhere the user has permissions, enabling persistence through overwritten startup scripts and arbitrary code execution on next login.
Affected Products
- Detect-It-Easy (DIE) versions prior to 3.21
- DIE-engine component (horsicq/DIE-engine)
- XArchive and Formats supporting libraries used by DIE
Discovery Timeline
- 2026-05-04 - CVE-2026-43616 published to NVD
- 2026-05-05 - Last updated in NVD database
Technical Details for CVE-2026-43616
Vulnerability Analysis
Detect-It-Easy extracts archive entries during file analysis without validating that the resolved output path remains inside the user-specified extraction directory. The archive extraction routine in xformats.cpp concatenates the destination folder with the entry name supplied by the archive header. When that entry name contains relative traversal segments such as ..\..\..\ or an absolute path, the resulting write destination escapes the extraction sandbox.
The vulnerability falls under CWE-23: Relative Path Traversal. Because Detect-It-Easy is commonly used by analysts to inspect untrusted samples, the trust boundary is crossed the moment a hostile archive is opened. The impact targets file integrity and availability rather than confidentiality, since the primitive is an arbitrary file write rather than a read.
Root Cause
The extraction loop iterated over archive records and used the original archive entry name directly when constructing the output file path. No canonicalization step verified that the final absolute path was a child of the chosen extraction folder. Archive entries with embedded ../ sequences or absolute paths were written verbatim. The patch introduces a canonical root computation using QDir::cleanPath(QDir(sFolderName).absolutePath()) so that each entry can be checked against the trusted root before any write occurs.
Attack Vector
Exploitation requires the local victim to open or analyze a malicious archive in Detect-It-Easy. An attacker delivers a crafted archive (for example, by labeling it as a suspicious sample for analysis) containing entries whose names traverse out of the extraction directory. When the analyst extracts the archive, files are written to attacker-chosen locations such as ~/.bashrc, ~/.config/autostart/, or Windows Startup folders. The next user login or shell launch executes the planted payload, achieving persistence and code execution under the analyst's account.
qint32 nGlobalIndex = XBinary::getFreeIndex(pPdStruct);
XBinary::setPdStructInit(pPdStruct, nGlobalIndex, nNumberOfRecords);
+ QString sCanonicalRoot = QDir::cleanPath(QDir(sFolderName).absolutePath());
+
for (qint32 i = 0; (i < nNumberOfRecords) && XBinary::isPdStructNotCanceled(pPdStruct); i++) {
QString sPrefName = pListRecords->at(i).mapProperties.value(XBinary::FPART_PROP_ORIGINALNAME).toString();
#ifdef QT_DEBUG
Source: horsicq/Formats commit 56cdf50. The patch establishes a canonical root path so subsequent entry paths can be validated against it before extraction.
Detection Methods for CVE-2026-43616
Indicators of Compromise
- Unexpected modifications to user startup scripts such as ~/.bashrc, ~/.profile, ~/.zshrc, or files under ~/.config/autostart/ shortly after Detect-It-Easy was launched.
- New or modified files under Windows %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ correlated with die.exe or diec.exe process activity.
- Archive samples containing entries with names beginning with ../, ..\, /, or drive-letter prefixes like C:\.
Detection Strategies
- Hunt for child writes by die.exe, diec.exe, or die processes that resolve outside the configured extraction directory.
- Inspect archives queued for analysis with a pre-screening tool that lists entry names and flags traversal sequences before they reach Detect-It-Easy.
- Monitor file integrity on shell rc files and autostart locations on analyst workstations and sandboxes.
Monitoring Recommendations
- Enable process and file-creation telemetry on reverse-engineering hosts and forward it to a centralized log store for correlation.
- Alert on Detect-It-Easy process trees that spawn shells, scripting hosts, or write to persistence locations.
- Track Detect-It-Easy version strings across the fleet to confirm all installations are at 3.21 or later.
How to Mitigate CVE-2026-43616
Immediate Actions Required
- Upgrade Detect-It-Easy to version 3.21 or later on every analyst workstation, sandbox, and shared analysis VM.
- Audit user startup scripts and autostart directories on systems where prior versions handled untrusted archives.
- Restrict analysis of untrusted samples to isolated, non-persistent virtual machines that are reverted after each session.
Patch Information
The vendor fixed the issue in the DIE-engine 3.21 release. Relevant commits include DIE-engine 7fd300b, DIE-engine cbbe168, Formats 56cdf50, and XArchive 6a2aa84. Additional analysis is available in the VulnCheck advisory.
Workarounds
- Avoid opening archive files directly in unpatched Detect-It-Easy installations. Extract with a separately validated archiver first.
- Run Detect-It-Easy under a low-privileged or container-confined account so writes outside the extraction directory cannot reach sensitive locations.
- Use mandatory access controls (AppArmor, SELinux, or Windows AppLocker) to deny writes by Detect-It-Easy to home-directory startup files and autostart paths.
# Verify the installed Detect-It-Easy version is patched
diec --version
# Example AppArmor-style restriction (concept) for the DIE binary
# deny write access to common persistence targets
# deny owner /home/*/.bashrc w,
# deny owner /home/*/.profile w,
# deny owner /home/*/.config/autostart/** w,
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
