Hi,

On 09/07/2026 17:21, yokota wrote:
Can we either confidently say it is affecting us or is this Windows
specific? The available information is unfortunately very light.

I think CVE-2026-58052 is Windows specific one.
Because it works for Mark-of-the-Web data on Windows file system.

The CVE page has reporters PoC page and describes why it works.

* https://www.cve.org/CVERecord?id=CVE-2026-58052
* https://github.com/bikini/exploitarium/tree/main/7zip-rar5-motw-chain-poc

Looking closer:

- the core issue seems the NTFS canonicalization of 'file:stream:$DATA' to 'file:stream' (and 'file::$DATA' to 'file'), not anticipated by 7zip;

- ntfs-3g supports transparent ADS (streams) with '-o streams_interface=windows', but doesn't canonicalize/strip ':$DATA' like Windows NTFS does;

- the PoC hence doesn't work, even when removing the os==NT check, and even when working in a ntfs-3g mount point with streams_interface on (no content collision).

Also: we don't have Mark-of-the-Web support within the GNU/Linux ecosystem desktop environments AFAIK, so overwriting the ':Zone.Identifier' stream doesn't have a security impact.

Overwriting/spoofing the file content itself can be a security problem though. But again, unless a later version of ntfs-3g handles streams differently, we're not affected, and even then we'd only be affected within NTFS mount points with specific options.

Affected package: the PoC manually generates a .rar file that does NOT compress the files hence doesn't use the non-free RAR compression, only of the RAR archive format, so this .rar file is perfectly handled by the base 7zip (not 7zip-rar) package. So I think 7zip is affected (and similarly p7zip).

Cheers!
Sylvain

Reply via email to