The Zombie ZIP vulnerability refers to a technique that manipulates ZIP archive headers to hide malware from antivirus scanners. Discovered by Chris Aziz of Bombadil Systems and assigned CVE-2026-0866, the method bypasses 50 of 51 antivirus engines tested on VirusTotal — a figure CERT/CC has flagged in bulletin VU#976247 as a serious risk from malformed archives.
How the Zombie ZIP Vulnerability Actually Works
The core trick is deceptively simple. A standard ZIP archive declares its compression method in a header field. When that field is set to Method=0, it signals that the file is stored as raw, uncompressed bytes. Antivirus engines trust this declaration and scan accordingly. The Zombie ZIP vulnerability exploits exactly that trust.
As Aziz explained in his proof-of-concept publication: “AV engines trust the ZIP Method field. When Method=0 (STORED), they scan the data as raw uncompressed bytes. But the data is actually DEFLATE compressed — so the scanner sees compressed noise and finds no signatures.” The CRC value in the header is also set to the uncompressed payload’s checksum rather than the compressed data’s, which causes standard extraction tools including WinRAR, 7-Zip, unzip, bsdtar, and Python’s zipfile module to fail with CRC errors or unsupported method warnings. The archive appears broken to legitimate tools — but a custom loader that ignores the declared method and forces DEFLATE decompression recovers the payload perfectly, as Aziz noted.
The result is a file that looks corrupted to defenders and functional to attackers. Only one engine out of 51 on VirusTotal flagged the technique during testing, though the brief does not identify which engine succeeded where the rest failed.
Why Zombie ZIP Vulnerability Detection Is So Difficult
The reason the Zombie ZIP vulnerability is so difficult to detect comes down to how antivirus software is architectured. Most scanners rely on the metadata inside a ZIP header to decide how to decompress and inspect content before running signature checks. If the header says the data is uncompressed, the scanner processes raw bytes — and DEFLATE-compressed data looks like noise to a raw byte scanner. No signature matches, no alert.
SANS ISC analysis demonstrated this using zipdump.py version 0.0.35, a tool by Didier Stevens. Running the tool with the -f l flag parses the malformed ZIP and identifies a FILE record (PK0304) declaring STORED type but with mismatched sizes: a compressed size of 70 against an uncompressed size of 68. Dumping raw data with the -s data -a flags shows only compressed noise — no recognisable payload. Only when the -s forcedecompress flag is applied does the actual content, including a test EICAR file, become visible. That size discrepancy — compressed larger than uncompressed — is itself a flag that something is wrong, since genuinely uncompressed data cannot be smaller than its stored representation.
ClamAV confirmed in a vendor statement to CERT/CC that it cannot scan this type of malformed ZIP file. However, ClamAV characterised the issue as a hardening suggestion rather than a vulnerability, noting it is considering addressing it in a future release. That framing is contested: security researchers more broadly view the issue as a limitation of antivirus scanning logic rather than a flaw in the ZIP format itself.
Zombie ZIP Vulnerability Compared to Prior ZIP Exploits
This is not the first time ZIP metadata tampering has been used to evade security tools. CERT/CC’s bulletin draws a direct parallel to VU#968818 and CVE-2004-0935, an earlier ZIP metadata manipulation technique that caused similar problems for antivirus engines over two decades ago. The fact that a conceptually similar method still bypasses the overwhelming majority of modern engines in 2025 raises uncomfortable questions about how much the underlying scanning architecture has actually evolved.
What makes the current technique more pressing is the public availability of a working proof-of-concept. Aziz published sample archives on GitHub, meaning the barrier to exploitation is low. Threat actors do not need to independently develop the technique — the tooling is already out there.
Is the Zombie ZIP vulnerability a real CVE or just an AV limitation?
The vulnerability has been assigned CVE-2026-0866 and documented in CERT/CC bulletin VU#976247, giving it official recognition. However, ClamAV and several security researchers dispute the “vulnerability” framing, arguing it reflects a limitation in how antivirus engines handle malformed archives rather than a flaw in the ZIP specification or any specific software product. Both interpretations can be true simultaneously — the label matters less than the practical evasion capability it describes.
Can standard tools like WinRAR or 7-Zip extract a Zombie ZIP file?
No. Standard extraction tools including WinRAR, 7-Zip, unzip, bsdtar, and Python’s zipfile module will fail when attempting to extract a Zombie ZIP archive, producing CRC errors or unsupported method warnings due to the header mismatch. Only a custom loader designed to ignore the declared method and force DEFLATE decompression can successfully recover the payload.
How can analysts detect a malformed ZIP using zipdump.py?
Using zipdump.py version 0.0.35 with the -f l flag will parse the malformed archive and surface the size mismatch between compressed and uncompressed fields. The -s forcedecompress flag then reveals the actual payload content. A compressed size larger than the uncompressed size is a reliable indicator that the STORED declaration is false and the data is actually compressed.
The Zombie ZIP vulnerability is a sharp reminder that antivirus detection is only as reliable as the metadata it trusts. When that metadata lies, 50 out of 51 engines go blind. With a working proof-of-concept already public and CERT/CC raising the alarm, the security industry needs to treat malformed archive handling as a first-class scanning requirement — not an edge case to address in a future release.
Edited by the All Things Geek team.
Source: Tom's Hardware
