AES Encryption Flaw in pyzipper Affects Zip File Security
CVE-2026-44722
6.2MEDIUM
What is CVE-2026-44722?
A flaw in the pyzipper library, which is designed to manage AES encrypted zip files, allows the AE-2 encryption format to remain unselected automatically due to a Python operator precedence issue. This results in encrypted entries written in the AE-1 format, exposing the plaintext CRC32 checksum in the ZIP header. For unseekable zip archives, this information can also appear in the datadescripter section. As a result, an attacker can exploit this vulnerability by using brute force methods to derive plaintexts for files with low entropy or small sizes, leveraging the obtainable CRC32 values. This issue is resolved in version 0.4.0.
Affected Version(s)
pyzipper < 0.4.0
