CVE-2026-26064 / CVE-2026-26065: calibre Path Traversal Flaw Enables Arbitrary File Write and Windows RCE via Startup Folder Abuse

Aegiron 9 mins0

Product Overview — calibre

Product Name: calibre
Vendor: Kovid Goyal
Platform: Windows, macOS, Linux
Primary Function: e-Book management, conversion, editing, metadata handling, and library organization
Vulnerability Type: Path Traversal → Arbitrary File Write → Windows Remote Code Execution
Affected Versions: ≤ 9.2.1
Fixed Version: 9.3.0 and later
Official Patch / Upgrade Link: https://calibre-ebook.com/download

calibre is widely used for managing and converting digital books. It processes various archive-based formats (EPUB, PDB, MOBI, ZIP-based containers). The vulnerability discussed below originates in the way certain archive contents were extracted and written to disk.

Vulnerability Summary

FieldDetails
CVE Namecalibre Arbitrary File Write Vulnerability
CVE IDsCVE-2026-26064, CVE-2026-26065
Vulnerability ClassPath Traversal (CWE-22)
ImpactArbitrary File Write → Windows RCE
CVSS v38.8 (High)
CVSS v4 (CNA)9.3 (Critical)
Attack VectorUser opens malicious e-book/archive
Privileges RequiredNone beyond user context
User InteractionRequired
Exploit AvailabilityNo widely weaponized public exploit; technically trivial to reproduce
Patch StatusFixed in calibre 9.3.0

Technical Description

A flaw was identified in certain extraction routines within calibre responsible for unpacking embedded resources (such as images) from e-book files.

Instead of fully validating and normalizing file paths during extraction, the code relied on insufficient prefix checks. Path traversal sequences such as ../ were not properly sanitized in specific code paths.

Because of this, files could be written outside the intended extraction directory.

If a malicious archive contained a file entry such as:

Pictures/../../AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/malicious.exe

the application would process and write the file without restricting it to the safe directory.

On Windows systems, this becomes critical. Files written to the Startup folder execute automatically when the user logs in. Therefore:

Arbitrary file write → Persistence → Code execution as logged-in user

The vulnerability does not grant SYSTEM privileges directly. Execution occurs in the security context of the victim user.

Root Cause Analysis

The vulnerability was introduced due to:

  • Incomplete canonicalization of file paths
  • Lack of strict validation against directory traversal patterns
  • Manual file write logic instead of hardened archive extraction APIs
  • Insufficient enforcement of extraction boundary checks

Safe extraction functions that normalize paths were bypassed in certain routines (notably PDB readers and picture extraction handlers).

Exploitation Scenario (Educational)

  1. A crafted EPUB/PDB/ZIP file is generated.
  2. The archive includes malicious filenames containing traversal sequences.
  3. The victim opens or imports the file into calibre.
  4. calibre extracts embedded resources.
  5. A payload file is written into a sensitive directory (e.g., Startup).
  6. On next login, Windows executes the planted file.

No network listener or remote daemon is required. Social engineering or malicious content distribution is sufficient.

Proof-of-Concept Status

At the time of analysis:

  • No mainstream exploit kit has been observed.
  • The vulnerability is technically simple to reproduce.
  • A PoC would involve crafting a ZIP-based e-book container with manipulated filenames.
  • Because exploitation requires only path manipulation, development of a PoC is considered low complexity.

Due to responsible disclosure considerations, exploit construction steps are not provided.

Payload Characteristics Observed in Theoretical Exploitation

Attackers would likely attempt to write:

  • .exe binaries
  • .lnk shortcut files
  • .bat or .cmd scripts
  • .ps1 PowerShell scripts
  • DLL files for sideloading scenarios

Common target directories:

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\
%PROGRAMDATA%\Microsoft\Windows\Start Menu\Programs\Startup\

Other possible abuse targets:

  • User profile directories
  • Application configuration folders
  • Overwriting existing executable resources
  • Library poisoning attempts

Detection Strategy

Primary Log Sources

  • Endpoint Detection and Response (EDR)
  • Sysmon
  • Windows Security Event Logs (Object Access auditing)
  • File Integrity Monitoring (FIM)
  • Application control logs (AppLocker / WDAC)

Indicators of Exploitation

  • calibre.exe writing executable files
  • File creation in Startup folder by calibre.exe
  • Unexpected file types written during book import
  • Suspicious files appearing immediately after e-book import
  • Executables whose parent process was calibre.exe

Detection Queries

Splunk Query

index=windows (EventCode=11 OR EventCode=4663)
Image="*\\calibre.exe"
(TargetFilename="*\\Start Menu\\Programs\\Startup\\*")
| table _time, host, user, Image, TargetFilename

Microsoft Defender for Endpoint

DeviceFileEvents
| where InitiatingProcessFileName == "calibre.exe"
| where FolderPath contains "Start Menu\\Programs\\Startup"
| project Timestamp, DeviceName, InitiatingProcessAccountName, FolderPath, FileName

Elastic EQL

file where process.name == "calibre.exe" and
file.path : "*\\Start Menu\\Programs\\Startup\\*"

Sysmon Configuration Recommendation

Monitor:

  • Event ID 11 (FileCreate)
  • Event ID 1 (ProcessCreate)

Filter:

Image ends with calibre.exe
TargetFilename contains Start Menu\Programs\Startup

Forensic Investigation Steps

  1. Identify recently created files in Startup directories.
  2. Review file hashes and execution timestamps.
  3. Correlate with calibre usage logs.
  4. Examine imported e-books around compromise timeframe.
  5. Isolate host if malicious file execution confirmed.
  6. Remove persistence artifacts.
  7. Conduct full endpoint malware scan.

Risk Assessment

Severity is considered High to Critical due to:

  • Simple exploitation method
  • No privilege requirement beyond user
  • Persistent execution on Windows
  • Widespread usage of calibre

Impact is limited to user-level privileges but may escalate depending on environment misconfigurations.

Mitigation and Remediation

Immediate Action

Upgrade to the fixed version:

Official Upgrade Link:
https://calibre-ebook.com/download

Version 9.3.0 and later contain the correction for the vulnerable extraction logic.

Additional Defensive Controls

  • Restrict write permissions to Startup folders where feasible.
  • Enable attack surface reduction rules.
  • Deploy file integrity monitoring.
  • Educate users against opening untrusted e-books.
  • Run calibre in restricted user contexts when possible.

MITRE ATT&CK Mapping

TacticTechnique
PersistenceT1547 – Boot or Logon Autostart Execution
ExecutionT1204 – User Execution
Defense EvasionT1036 – Masquerading (if malicious file disguised)

Overall Security Posture Recommendation

This vulnerability represents a classic archive extraction flaw with high real-world impact on Windows systems. The absence of strict path validation allowed directory traversal, enabling attackers to convert file write capability into persistent code execution.

Patch adoption should be prioritized.
Endpoint monitoring rules should be deployed even after patching to detect potential prior exploitation.
Historical log review is recommended for organizations with large Windows user bases running vulnerable versions.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.