{"id":"CVE-2026-58052","summary":"7-Zip - Mark-of-the-Web Bypass via RAR5 Alternate Data Stream Name Collision","details":"7-Zip for Windows through 26.01 fails to preserve the Mark-of-the-Web when extracting a crafted RAR5 archive, because its guard that suppresses an archive-supplied Zone.Identifier stream matches the exact name 'Zone.Identifier' while a RAR5 STM record named ':Zone.Identifier:$DATA' is not matched and NTFS canonicalizes it to the same stream, overwriting the propagated Internet-zone marker with ZoneId=0. A second STM record named '::$DATA' overwrites the extracted file's default data stream, letting an attacker defeat SmartScreen/MotW warnings and spoof file content.","modified":"2026-07-16T03:48:43.878387059Z","published":"2026-06-28T01:32:54.971Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58052.json","cna_assigner":"VulnCheck","cwe_ids":["CWE-693"]},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58052.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-58052"},{"type":"ADVISORY","url":"https://www.vulncheck.com/advisories/7-zip-mark-of-the-web-bypass-via-rar5-alternate-data-stream-name-collision"},{"type":"PACKAGE","url":"https://github.com/ip7z/7zip"},{"type":"EVIDENCE","url":"https://github.com/bikini/exploitarium/tree/main/7zip-rar5-motw-chain-poc"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ip7z/7zip","events":[{"introduced":"0"},{"last_affected":"8c63d71ff886bda90c86db28466287f977374237"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"26.01"},{"last_affected":"26.02"}],"source":["AFFECTED_FIELD","CPE_RANGE"],"cpe":"cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*"}}],"versions":["26.01","26.00","25.01","25.00","24.09","24.08","24.07","24.06","24.05","23.01","22.01","22.00","21.07"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58052.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"}]}