VIR Vulnerability Intelligence Relay

CVE-2026-13165

unknown
Published 2026-06-29 Β· Modified 2026-06-29
πŸ’¬ Discuss on Community ✚ Propose mitigation
CVSS v3
β€”
CVSS v4 NEW
8.6
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L
VIR risk
β€”

Description

SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers).Β An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. ThisΒ can lead to remote code execution. This issue was fixed in version 1.2.2.

Predictions

Exploit likelihood
20%
Patch ETA
β€”

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or β€” if you've already worked around this in production β€” publish your fix to the community-verified tier.

✚ Propose a mitigation on Community β†’ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

References

CWEs

CWE-434

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.