Listen to this Post
The vulnerability exists because the .NET `ZipFile.ExtractToDirectory` API does not validate path traversal sequences (e.g., `..\` or /) inside ZIP entry names before extracting files. An attacker can craft a ZIP file containing an entry like ../../../../Windows/System32/config/SAM. When a vulnerable application calls `ZipFile.ExtractToDirectory` on this malicious ZIP, the .NET runtime writes the file to an absolute path (CWE-36) derived from the crafted entry name, bypassing the intended extraction directory.
The attacker has limited control over the final destination because the traversal is constrained by the file system’s root and the current process’s permissions. However, successful exploitation allows writing arbitrary files—such as configuration files, scripts, or DLLs—to sensitive system locations, leading to tampering or potential elevation of privilege.
The root cause is .NET Core’s improper canonicalization of path components in ZipArchiveEntry.FullName. The framework does not reject entries containing `..` or absolute root indicators (\, /). Consequently, when `ExtractToDirectory` is invoked, the file is written to the absolute path derived from the concatenation of the destination directory and the unvalidated entry name.
The security update patches this by adding a path‑sanitization step inside ZipFile.ExtractToDirectory. It now checks each entry’s `FullName` against the extraction root, rejecting any that would escape the target directory. This ensures that even a malicious ZIP cannot write files outside the intended destination.
dailycve form
Platform: .NET Core
Version: 8.0,9.0,10.0
Vulnerability: Absolute Path Traversal
Severity: Medium
date: May 12, 2026
Prediction: Within 30 days
What Undercode Say
Analytics
Check your .NET version for CVE-2026-32175:
dotnet --info Look for version lines like: .NET SDK 8.0.100 / 9.0.200 / 10.0.100
List installed runtime packages (NuGet):
dotnet list package --include-transitive | grep -E "Microsoft.NetCore.App.Runtime.win"
Vulnerable code pattern (do NOT use):
using System.IO.Compression;
ZipFile.ExtractToDirectory("malicious.zip", "C:\SafeDir");
Safe code (after applying the patch):
using (var archive = ZipFile.OpenRead("user.zip"))
{
foreach (ZipArchiveEntry entry in archive.Entries)
{
// Manual path validation – no longer needed once patched
string target = Path.Combine("C:\SafeDir", entry.FullName);
if (Path.GetRelativePath("C:\SafeDir", target).StartsWith(".."))
throw new InvalidOperationException("Path traversal detected");
entry.ExtractToFile(target, true);
}
}
how Exploit
- Create a ZIP file containing a directory entry with
..\..\..\Windows\System32\evil.dll. - Convince a vulnerable .NET app to call `ZipFile.ExtractToDirectory` on this ZIP.
- The app extracts `evil.dll` to the absolute path
C:\Windows\System32\evil.dll. - The attacker now has placed a malicious DLL in a system directory, ready for DLL‑side‑loading or persistence.
Protection from this CVE
- Update .NET to the patched versions: 8.0.27, 9.0.16, or 10.0.8.
- If updating is not immediate, replace `ZipFile.ExtractToDirectory` with a manual `ZipArchive` loop that validates each entry’s `FullName` before extraction (see safe code above).
- Run `dotnet –info` to verify the installed runtime version.
- For self‑contained apps, recompile and redeploy with the patched runtime.
Impact
An attacker can write arbitrary files and directories to any location on the file system (up to the permissions of the .NET process). While the attacker cannot fully control the exact write path, they can still:
– Overwrite critical system files (e.g., hosts, SAM, configuration files).
– Drop malicious executables or scripts into startup folders.
– Tamper with application binaries, leading to persistent compromise or denial of service.
The CVSS score of 4.3 (Medium) reflects the limited control over the destination, but the potential for data tampering is high (C:N/I:H/A:N).
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

