AES Encryption Flaw in pyzipper Affects Zip File Security
CVE-2026-44722

6.2MEDIUM

Key Information:

Vendor

Danifus

Status
Vendor
CVE Published:
17 July 2026

What is CVE-2026-44722?

A flaw in the pyzipper library, which is designed to manage AES encrypted zip files, allows the AE-2 encryption format to remain unselected automatically due to a Python operator precedence issue. This results in encrypted entries written in the AE-1 format, exposing the plaintext CRC32 checksum in the ZIP header. For unseekable zip archives, this information can also appear in the datadescripter section. As a result, an attacker can exploit this vulnerability by using brute force methods to derive plaintexts for files with low entropy or small sizes, leveraging the obtainable CRC32 values. This issue is resolved in version 0.4.0.

Affected Version(s)

pyzipper < 0.4.0

References

CVSS V3.1

Score:
6.2
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.