Cyber Resilience

CVE-2026-27117

MediumPublic PoC

Published: 24 February 2026

Published
24 February 2026
Modified
25 February 2026
KEV Added
Patch
CVSS Score v3.1 5.5 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
EPSS Score 0.0006 20.3th percentile
Risk Priority 11 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27117 is a medium-severity Path Traversal (CWE-22) vulnerability in Rikyoz Bit7Z. Its CVSS base score is 5.5 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Compromise Host Software Binary (T1554); ranked at the 20.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2026-27117 is a path traversal vulnerability, commonly known as "Zip Slip," affecting bit7z, a cross-platform C++ static library used for compression and extraction of archive files. In versions prior to 4.0.11, the library's archive extraction functionality fails to adequately validate file paths in archive entries. This allows files to be written outside the intended extraction directory through three mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal.

The vulnerability can be exploited by an attacker who provides a malicious archive to any application that uses bit7z to extract untrusted archives. Exploitation requires local access (AV:L) with no privileges (PR:N) but involves user interaction (UI:R), such as prompting a user to extract the archive. Successful exploitation enables arbitrary file writes with the privileges of the extracting process, potentially overwriting application binaries, configuration files, or other sensitive data. While it does not directly enable file reading, secondary confidentiality risks may arise if applications serve or display extracted files, particularly those containing attacker-created symlinks.

The bit7z project has addressed the issue in version 4.0.11, with fixes implemented via specific commits that enhance path validation during extraction. The security advisory (GHSA-qvjh-hhw4-3gx9) and release notes recommend immediate upgrading where possible. Alternative mitigations include manually validating each entry's destination path before writing files, running extraction processes with least privilege, and extracting untrusted archives into a sandboxed directory.

EU & UK References

Vulnerability details

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.11, a path traversal vulnerability ("Zip Slip") exists in bit7z's archive extraction functionality. The library does not adequately validate file paths contained in…

more

archive entries, allowing files to be written outside the intended extraction directory through three distinct mechanisms: relative path traversal, absolute path traversal, and symbolic link traversal. An attacker can exploit this by providing a malicious archive to any application that uses bit7z to extract untrusted archives. Successful exploitation results in arbitrary file write with the privileges of the process performing the extraction. This could lead to overwriting of application binaries, configuration files, or other sensitive data. The vulnerability does not directly enable reading of file contents; the confidentiality impact is limited to the calling application's own behavior after extraction. However, applications that subsequently serve or display extracted files may face secondary confidentiality risks from attacker-created symlinks. Fixes have been released in version 4.0.11. If upgrading is not immediately possible, users can mitigate the vulnerability by validating each entry's destination path before writing. Other mitigations include running extraction with least privilege and extracting untrusted archives in a sandboxed directory.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1554 Compromise Host Software Binary Persistence
Adversaries may modify host software binaries to establish persistent access to systems.
T1574 Hijack Execution Flow Stealth
Adversaries may execute their own malicious payloads by hijacking the way operating systems run programs.
Why these techniques?

Arbitrary file write via Zip Slip path traversal directly enables overwriting application binaries (T1554) and placing malicious payloads/DLLs to hijack execution/search order (T1574).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-27800Shared CWE-22
CVE-2025-27410Shared CWE-22, CWE-23
CVE-2026-25121Shared CWE-22, CWE-23
CVE-2024-54461Shared CWE-22, CWE-23
CVE-2026-27625Shared CWE-22, CWE-23
CVE-2026-7404Shared CWE-22, CWE-23
CVE-2025-29789Shared CWE-22, CWE-23
CVE-2026-20613Shared CWE-22
CVE-2026-42315Shared CWE-22, CWE-36
CVE-2026-27202Shared CWE-22, CWE-23

Affected Assets

rikyoz
bit7z
≤ 4.0.11

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of untrusted archive entry paths to block relative, absolute, and symlink traversal writes outside the intended directory.

prevent

Limits the privileges of the extraction process so that successful path traversal can only affect files the process is already authorized to modify.

prevent

Requires process isolation or sandboxing of the extraction operation, confining any files written via traversal to a restricted execution environment.

References