CVE-2026-44722 in pyzipperinfo

Summary

by MITRE • 07/17/2026

pyzipper is a replacement for Python's zipfile that can read and write AES encrypted zip files. Prior to 0.4.0, a Python operator precedence bug in pyzipper/zipfile_aes.py caused the AE-2 format to never be automatically selected during encryption, causing encrypted entries to be written in AE-1 format and exposing the plaintext CRC32 checksum in the ZIP header and, for unseekable zip archives, in the datadescripter section, allowing an attacker who possesses the archive to brute-force candidate plaintexts for small or low-entropy files by comparing CRC32 values. This issue is fixed in version 0.4.0.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The pyzipper library serves as a Python implementation for handling AES encrypted zip files, providing functionality that extends beyond Python's standard zipfile module. This library enables developers to create and manipulate zip archives with advanced encryption capabilities using the AES-256 algorithm. The vulnerability described affects versions prior to 0.4.0 where a critical operator precedence flaw exists in the zipfile_aes.py file responsible for encryption operations.

The technical flaw stems from improper operator precedence handling within the encryption selection logic, specifically preventing the automatic selection of the AE-2 format during encryption processes. This bug causes encrypted entries to be written using the older AE-1 format instead of the more secure AE-2 format. The AE-1 format exposes the plaintext CRC32 checksum directly in the ZIP file header, while for unseekable archives, this information also appears in the data descriptor section. This exposure creates a significant security weakness that undermines the encryption's effectiveness.

The operational impact of this vulnerability is substantial as it allows attackers with access to the encrypted archive to perform brute force attacks against small or low-entropy files. By comparing CRC32 values between the exposed checksum and candidate plaintexts, adversaries can efficiently guess the contents of sensitive files without needing to decrypt the entire archive. This represents a direct violation of confidentiality principles and demonstrates how implementation flaws can compromise cryptographic protections. The vulnerability aligns with CWE-691 which addresses insufficient control flow management and represents a classic example of how seemingly minor code defects can create significant security risks.

The fix implemented in version 0.4.0 corrects the operator precedence issue, ensuring that the AE-2 format is properly selected during encryption operations. This update restores the intended security properties of the library by preventing the exposure of plaintext checksums in the archive structure. Organizations using pyzipper should immediately upgrade to version 0.4.0 or later to mitigate this vulnerability. The remediation addresses core security requirements outlined in various cybersecurity frameworks including those related to encryption integrity and data protection standards that require proper implementation of cryptographic protocols.

From an attack perspective, this vulnerability maps to ATT&CK technique T1566 which involves phishing with malicious attachments, as attackers could exploit this weakness when targeting encrypted zip files containing sensitive information. The flaw also relates to credential access patterns where attackers might attempt to recover plaintext data from compromised archives. Given the widespread use of zip encryption in various security contexts, this vulnerability represents a critical concern for organizations relying on pyzipper for secure file handling operations. The issue demonstrates the importance of thorough code review processes and proper testing of cryptographic implementations to prevent such fundamental flaws that can undermine even well-designed security mechanisms.

Responsible

GitHub M

Reservation

05/07/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Might our Artificial Intelligence support you?

Check our Alexa App!