CVE-2026-13165
CWE-434Published: June 29, 2026· Updated: Jun 29, 2026
Official Description
SzafirHost verifies the downloaded native library archive with one JarFile parser (reading the Central Directory) but extracts native libraries with JarInputStream parser (reading sequentially from local file headers). An attacker who controls the served archive can insert a malicious DLL/SO/DYLIB as a local-file-header entry between the last legitimate entry and the Central Directory, without adding it to the Central Directory. The signature verifier never sees the injected entry and accepts the archive as validly signed; the extractor reads it sequentially and writes the attacker library to the native temp directory with no hash check), while the archive-size check still passes. This can lead to remote code execution.
This issue was fixed in version 1.2.2.
Technical Analysis
CVE-2026-13165 can be exploited remotely over the network without requiring physical or adjacent access, significantly expanding the attack surface for threat actors.
Exploitation does not require any privileges, though user interaction (A) is needed, which slightly reduces the risk of mass automated attacks.
CVSS v3.1 Vector Breakdown
Exploit & PoC Resources
All References (2)
Quick Facts
Related CVEs (CWE-434)
Recommended Actions
- →Apply vendor patches immediately
- →Monitor CVE-2026-13165 in threat intel feeds
- →Review IDS/IPS signatures for exploitation attempts