By rssfeeds-admin 
The issue, tracked as CVE-2026-0866 and documented in CERT Coordination Center Vulnerability Note VU#976247, highlights how manipulated archive metadata can prevent security scanners from properly analyzing compressed files.
Malformed ZIP Headers Bypass Security Scanning
ZIP archives contain metadata that tells software how to decompress and process files stored within them.
This metadata includes fields such as the compression method, version information, and file flags. Antivirus and EDR systems typically rely on these values to determine how to extract and scan the contents of an archive.
Researchers found that attackers can tamper with the compression method field in a ZIP file’s header. When this field is modified incorrectly, security software may fail to decompress the archive properly.
As a result, the scanning engine cannot access the embedded payload and may incorrectly classify the file as safe or simply corrupted.
Despite the malformed header, the malicious content can still be extracted programmatically using custom tools designed to ignore the incorrect metadata.
This allows attackers to conceal malware within the archive while bypassing automated security inspection.
In a typical attack scenario, a threat actor crafts a ZIP archive containing malicious code and intentionally modifies the archive’s metadata fields.
Security tools attempt to read the header to determine how to decompress the archive. Because the compression method field is manipulated, the scanner fails to extract the contents and cannot analyze the hidden payload.
However, attackers can later recover the embedded data using a custom loader that bypasses the declared compression method and directly decompresses the raw data. Once extracted, the hidden payload can be executed on the target system.
Interestingly, common archive extraction utilities such as:
- 7‑Zip
- unzip
- bsdtar
- Python’s zipfile module
generally trust the declared compression method inside the ZIP header. When the header contains manipulated values, these tools attempt decompression but eventually fail with errors such as “unsupported compression method” or CRC verification failures.
As a result, the payload remains hidden from both security scanners and standard extraction tools.
Affected Vendors and Mitigation
CERT/CC reported that Cisco is currently listed as affected, while the status of several other vendors remains unknown, including Avast, Bitdefender, Avira, Baidu, and AVG.
Security experts recommend that antivirus and EDR vendors avoid relying solely on declared archive metadata when scanning compressed files.
Instead, detection engines should validate whether the compression method field matches the actual data structure within the archive.
Organizations and users can reduce risk by following these security practices:
- Treat corrupted or suspicious ZIP archives as potential threats.
- Avoid opening archives received from untrusted sources.
- Ensure antivirus and EDR solutions are fully updated.
- Monitor vendor advisories for patches or mitigation guidance.
The vulnerability was reported by security researcher Christopher Aziz, and the advisory was authored by Laurie Tyzenhaus of the CERT Coordination Center.
As attackers continue to develop creative evasion techniques, the discovery highlights the need for more robust archive inspection methods within modern security tools.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Malformed ZIP Files Allow Attackers to Bypass Antivirus and EDR Detection appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.