Logo
Decide better.Live better.
Logo
Decide better.Live better.

Zombie ZIP (CVE-2026-0866) Evades 60 of 63 AV Products. Researchers find compression-flag mismatch lets malicious ZIPs evade scanners

Zombie ZIP (CVE-2026-0866) Evades 60 of 63 AV Products

CVE-2026-0866, dubbed “Zombie ZIP,” masks a DEFLATE-compressed payload as a stored ZIP, letting it slip past most scanners. Sixty of 63 AV/EDR products missed it, yielding a 98% evasion rate on VirusTotal. Until patches roll out, users should verify ZIP sources, scan with multiple engines, avoid opening unexpected files, and use sandboxing or Windows Explorer extraction, with caution.

13 March 2026

News

Priya Desai
banner

Researchers disclosed CVE-2026-0866, revealing a ZIP file exploit that bypasses 60 of 63 tested Windows antivirus products. The flaw lets a ZIP file claim it stores uncompressed data while actually delivering a DEFLATE-compressed payload, allowing malware to dodge detection and reach user systems.

How the exploit works

Why it matters. The technique shows how tweaking metadata can defeat traditional signature-based scanning. Antivirus engines read the compression field in the ZIP header, see "stored" (no compression), and skip deep inspection. Windows Explorer ignores that flag, extracts the real DEFLATE-compressed payload, and writes malicious code to disk.

The numbers reveal a systemic blind spot. Testing showed that 95% of antivirus products failed to detect the threat—60 of 63 tested products found nothing dangerous in the sample file. Most vendors listed their detection status as "unknown," indicating widespread inability to scan this malformed archive type.

Inconsistent extraction tools

Extraction tools respond inconsistently. 7-Zip and WinRAR reject the file as corrupt and refuse extraction. Windows Explorer and several custom tools proceed anyway, following the embedded payload stream rather than the header declaration. This split creates an opening attackers can exploit.

What you can do now

Security researchers recommend these interim defenses until vendors ship updated detection signatures:

  • Treat unexpected ZIP files as suspect, especially if your scanner reports them clean.
  • Scan every archive with at least two different engines before extraction.
  • Extract only with Windows Explorer or tools that validate CRC checksums.
  • Enable sandboxing for any file showing integrity warnings.
  • Contact your AV or EDR vendor to confirm CVE-2026-0866 support.
  • Deploy email-gateway filters that reject archives with compression-field mismatches.

The path forward

The fix depends on vendor response. Antivirus companies must update parsers to verify that declared compression methods match actual stream encoding. Behavioral analysis and file-integrity checks offer temporary protection, but comprehensive detection requires engine-level changes across the security ecosystem.

What is this about?

Feed