CVE-2026-58052

Public on 2026-06-28
Modified on 2026-07-15
Description
7-Zip for Windows through 26.02 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content.
Severity
Low severity
Low
See what this means
CVSS v3 Base Score
3.3
See breakdown

Affected Packages

Platform Package Release Date Advisory Status
Amazon Linux 2023 7zip Not Affected
Amazon Linux 2 - Graphicsmagick1.3 Extra p7zip Not Affected
Amazon Linux 2023 p7zip Not Affected

CVSS Scores

Score Type Score Vector
Amazon Linux CVSSv3 3.3 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N