CVE-2026-27117
Published: 24 February 2026
Summary
CVE-2026-27117 is a medium-severity Path Traversal (CWE-22) vulnerability in Rikyoz Bit7Z. Its CVSS base score is 5.5 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Host Software Binary (T1554); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2026-27117 is a path traversal vulnerability, commonly known as "Zip Slip," affecting bit7z, a cross-platform C++ static library used for compression and extraction of archive files. In versions prior to 4.0.11, the library's archive extraction functionality fails to adequately validate file paths in archive entries. This allows files to be written outside the intended extraction directory through three mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal.
The vulnerability can be exploited by an attacker who provides a malicious archive to any application that uses bit7z to extract untrusted archives. Exploitation requires local access (AV:L) with no privileges (PR:N) but involves user interaction (UI:R), such as prompting a user to extract the archive. Successful exploitation enables arbitrary file writes with the privileges of the extracting process, potentially overwriting application binaries, configuration files, or other sensitive data. While it does not directly enable file reading, secondary confidentiality risks may arise if applications serve or display extracted files, particularly those containing attacker-created symlinks.
The bit7z project has addressed the issue in version 4.0.11, with fixes implemented via specific commits that enhance path validation during extraction. The security advisory (GHSA-qvjh-hhw4-3gx9) and release notes recommend immediate upgrading where possible. Alternative mitigations include manually validating each entry's destination path before writing files, running extraction processes with least privilege, and extracting untrusted archives into a sandboxed directory.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8571
Vulnerability details
bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability ("Zip Slip") exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in…
more
archive entries, allowing files to be written outside the intended extraction directory through three distinct mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal. An attacker can exploit this by providing a malicious archive to any application that uses bit7z to extract untrusted archives. Successful exploitation results in arbitrary file write with the privileges of the process performing the extraction. This could lead to overwriting of application binaries, configuration files, or other sensitive data. The vulnerability does not directly enable reading of file contents; the confidentiality impact is limited to the calling application's own behavior after extraction. However, applications that subsequently serve or display extracted files may face secondary confidentiality risks from attacker-created symlinks. Fixes have been released in version 4.0.11. If upgrading is not immediately possible, users can mitigate the vulnerability by validating each entry's destination path before writing. Other mitigations include running extraction with least privilege and extracting untrusted archives in a sandboxed directory.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Arbitrary file write via Zip Slip path traversal directly enables overwriting application binaries (T1554) and placing malicious payloads/DLLs to hijack execution/search order (T1574).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation of untrusted archive entry paths to block relative, absolute, and symlink traversal writes outside the intended directory.
Limits the privileges of the extraction process so that successful path traversal can only affect files the process is already authorized to modify.
Requires process isolation or sandboxing of the extraction operation, confining any files written via traversal to a restricted execution environment.