CVE-2026-45380

Source
https://cve.org/CVERecord?id=CVE-2026-45380
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45380.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-45380
Aliases
  • GHSA-8wj8-9jwv-j24v
Published
2026-06-10T20:00:24.177Z
Modified
2026-07-08T08:13:29.748125223Z
Severity
  • 3.6 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
Summary
bit7z: Path Traversal via Null Byte Injection from `gcount()` Off-by-One in `restoreSymlink()`
Details

bit7z is a cross-platform C++ static library that allows the compression/extraction of archive files. Prior to version 4.0.12, a one-byte off-by-one error in SafeOutPathBuilder::restoreSymlink() allows an attacker to craft a .7z archive that, when extracted with bit7z on any non-Windows platform, creates a symlink escaping the intended output directory. Subsequent archive entries extracted through this symlink write arbitrary files outside the extraction directory with the permissions of the extracting process. This issue has been patched in version 4.0.12.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45380.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-193",
        "CWE-22"
    ]
}
References

Affected packages

Git / github.com/rikyoz/bit7z

Affected ranges

Type
GIT
Repo
https://github.com/rikyoz/bit7z
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "4.0.12"
        }
    ]
}

Affected versions

v1.*
v1.0.0
v1.0.0-beta.2
v1.0.0-rc
v2.*
v2.0.0
v2.0.0-beta
v2.1.0
v3.*
v3.0.0
v3.0.0-beta
v3.0.1
v3.1.0
v3.1.0-beta
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.2.0
v4.*
v4.0.0
v4.0.0-rc
v4.0.1
v4.0.10
v4.0.11
v4.0.2
v4.0.3
v4.0.4
v4.0.5
v4.0.6
v4.0.7
v4.0.8
v4.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-45380.json"