Low

Zombie ZIP

IdentifiersCVE-2026-0866CWE-436

CVE-2026-0866 was initially associated with the so-called “Zombie ZIP” technique, in which a crafted ZIP archive advertises entries as STORED/uncompressed (compression method 0) while the embedded data is actually DEFLATE-compressed (compression method 8). The reported effect was that some AV/EDR or archive-parsing implementations might trust the ZIP metadata, fail to properly decompress and inspect the payload, and therefore miss malicious content, while custom tooling could still recover the embedded data. However, the CVE record provided here explicitly states that, after publication of the proof of concept and further analysis, the issue was rejected because it does not constitute a valid vulnerability. The described behavior was determined to be an obfuscation method that does not bypass or impact any implicit or explicit security controls.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

According to the CVE rejection statement, there is no valid security impact recognized for CVE-2026-0866. While earlier reporting characterized the technique as an antivirus/archive-scanning evasion method, the final determination in the CVE record is that it is an obfuscation technique rather than a vulnerability and does not represent a security-control bypass.

Mitigation

If you can’t patch tonight, do this now.

Treat malformed, corrupted, or suspicious ZIP archives as potentially malicious, especially when received from untrusted sources. Ensure AV/EDR products and mail/web security controls are fully updated. Where possible, detonate suspicious archives in sandboxed environments, use secondary tooling that can inspect raw archive data rather than trusting ZIP metadata, and apply policy controls to block or quarantine malformed archives that fail normal parsing. Organizations should also add detections for ZIP metadata anomalies such as STORED entries whose size relationships or content characteristics indicate compressed data.

Remediation

Patch, then assume compromise.

AV/EDR and archive-processing vendors should harden ZIP parsing so scanners do not rely solely on declared header metadata. Specifically, they should validate that the declared compression method matches the actual data structure and compression characteristics of the embedded content, and handle malformed archives in a fail-safe manner that still subjects payload data to inspection where possible. Update affected security products and archive parsers as vendor fixes or hardening improvements become available. CERT/CC notes Cisco acknowledged ClamAV cannot scan Zombie ZIP files and is considering future hardening.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 2 candidates as fakes, detection scripts, or README-only repos.

VALID 0 / 2 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

24 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

24 SOURCESView more in app

the hacker newsNews

Mar 12, 2026

ThreatsDay Bulletin: OAuth Trap, EDR Killer, Signal Phishing, Zombie ZIP, AI Platform Hack & More

A ZIP parsing/evasion vulnerability/technique where malformed ZIP headers can cause antivirus/EDR to miss malicious content (false negatives) while some extraction tools still successfully decompress and execute the embedded payloads.

scworldNews

Mar 12, 2026

‘Zombie ZIP’ slips malware past 98% of antivirus engines | news | SC Media

A crafted ZIP archive evasion technique where the ZIP header declares the file is uncompressed (STORED/0) while the content is actually DEFLATE-compressed (8), causing AV/EDR engines that trust metadata to scan compressed noise and miss malware signatures; standard tools may fail to extract due to malformed header/CRC mismatch, but a custom loader can extract payloads.

handlers diary fullNews

Mar 11, 2026

Analyzing "Zombie Zip" Files (CVE-2026-0866) - SANS ISC

A ZIP file format manipulation technique where the ZIP header claims the file is STORED (uncompressed) while the payload data is actually DEFLATED, causing many AV engines and standard ZIP utilities to mis-parse or fail to inspect the real content without a custom loader/decompressor.

handlers diary fullNews

Mar 11, 2026

Analyzing "Zombie Zip" Files (CVE-2026-0866) - SANS ISC

A ZIP file format manipulation technique where the ZIP header claims the file is STORED (uncompressed) while the payload data remains DEFLATED (compressed), causing many AV engines and standard ZIP parsers to mis-handle or fail to inspect the embedded content, enabling detection bypass and requiring a custom loader to extract/decompress.

+1 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware1

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity19