7-Zip - Mark-of-the-Web Bypass via RAR5 Alternate Data Stream Name Collision | Advisories

Advisories

7-Zip - Mark-of-the-Web Bypass via RAR5 Alternate Data Stream Name Collision

severity: low
date: 6/27/2026
Affecting: 7-Zip <= 26.02
CVE: CVE-2026-58052
CWE: CWE-693 Protection Mechanism Failure
CVSS: 4.8
CVSS V4 Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
References: Proof of Concept
7-Zip source (ip7z/7zip)
Credit: ashdfrkl
Description: 7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content.

Ready to get Started?

Explore VulnCheck, a next-generation Cyber Threat Intelligence platform, which provides exploit and vulnerability intelligence to help you prioritize and remediate vulnerabilities that matter.

Vulnerability Prioritization
Prioritize vulnerabilities that matter based on the threat landscape and defer vulnerabilities that don't.
Early Warning System
Real-time alerting of changes in the vulnerability landscape so that you can take action before the attacks start.

Schedule a Demo