7-Zip RAR5 flaw can bypass the Mark-of-the-Web warning
A crafted RAR5 archive can make 7-Zip for Windows drop the Mark-of-the-Web (MotW) when it extracts a file, so a downloaded program can slip past the SmartScreen and Office Protected View warnings that normally guard files from the internet. The flaw is tracked as CVE-2026-58052 and affects 7-Zip through version 26.02, the current release. If you ever open archives from people you do not know, it changes how carefully you should extract an archive.
Last reviewed: 2026-07-18
What happened
The National Vulnerability Database published CVE-2026-58052 on 2026-06-27. It describes how 7-Zip suppresses an archive-supplied Zone.Identifier stream by matching the exact name "Zone.Identifier", while a RAR5 stream record named ":Zone.Identifier:$DATA" is not matched. Windows NTFS then canonicalizes that record to the same stream and overwrites the internet marker with a zero zone, so the extracted file no longer looks like it came from the web. A second record named "::$DATA" can overwrite the file's own contents. The result is a file that defeats the SmartScreen and MotW checks Windows relies on.
Checked on 18 July 2026, the flaw is rated CVSS 4.0 = 4.8 and remains open: the latest 7-Zip release is still 26.02 (2026-06-25), and no fixed build had shipped at the time of writing. This is a separate issue from the earlier WinRAR recovery-record flaw; it affects 7-Zip specifically, on Windows systems that extract onto NTFS drives.
| Detail | Value |
|---|---|
| Identifier | CVE-2026-58052 |
| Affected | 7-Zip for Windows through 26.02 |
| Trigger | Extracting a crafted RAR5 archive onto NTFS |
| Impact | Mark-of-the-Web dropped; SmartScreen / Protected View bypass |
| Status | Unpatched as of 2026-07-18 (latest 26.02) |
Why it matters for everyday files
The Mark-of-the-Web is the quiet tag Windows adds to anything you download, and it is what makes SmartScreen warn you before an installer runs and makes Office open a document in Protected View. When an archive can erase that tag during extraction, a program pulled from a RAR5 file you were sent could launch with no warning at all. The risk is highest for the exact habit this site is built around: opening archives that arrived by email, chat, or a random download link. It does not affect archives you packed yourself.
What to do with your files right now
Until a fixed 7-Zip build ships, these steps keep the risk contained:
- Do not extract RAR5 archives from senders you do not trust with 7-Zip 26.02 or earlier on Windows. Wait for the archive to be verified another way first.
- Watch for the next 7-Zip release at the official 7-zip.org download page and update as soon as a build after 26.02 appears.
- Peek inside an untrusted archive first. The unzip file tool and the extract ZIP RAR 7Z guide let you see what an archive holds before you commit to unpacking it on your desktop.
- Leave SmartScreen and Protected View on. They are the checks this flaw targets, so they still matter for every other download.
Sources
- NVD - CVE-2026-58052 (checked 2026-07-18)
- MITRE CVE Record - CVE-2026-58052
- VulnCheck advisory (assigning CNA)
- 7-Zip release history (latest 26.02, 2026-06-25)