|
| 1 | +--- |
| 2 | +title: "Breaking change: CRC32 validation added when reading ZIP archive entries" |
| 3 | +description: "Learn about the breaking change in .NET 11 where reading ZIP archive entries now validates CRC32 checksums and throws InvalidDataException for corrupted data." |
| 4 | +ms.date: 04/03/2026 |
| 5 | +ai-usage: ai-assisted |
| 6 | +--- |
| 7 | + |
| 8 | +# CRC32 validation added when reading ZIP archive entries |
| 9 | + |
| 10 | +Starting in .NET 11, the <xref:System.IO.Compression> library validates CRC32 checksums when reading ZIP archive entries. If the computed CRC32 checksum doesn't match the expected value stored in the ZIP file's metadata, an <xref:System.IO.InvalidDataException> is thrown. |
| 11 | + |
| 12 | +## Version introduced |
| 13 | + |
| 14 | +.NET 11 Preview 3 |
| 15 | + |
| 16 | +## Previous behavior |
| 17 | + |
| 18 | +Previously, `System.IO.Compression` didn't validate CRC32 checksums when reading ZIP archive entries. Corrupted or tampered ZIP entries could be read without errors, potentially causing silent data corruption. |
| 19 | + |
| 20 | +```csharp |
| 21 | +using System.IO.Compression; |
| 22 | + |
| 23 | +using var archive = ZipFile.OpenRead("corrupted.zip"); |
| 24 | +var entry = archive.GetEntry("file.txt") |
| 25 | + ?? throw new FileNotFoundException("Entry 'file.txt' not found in archive."); |
| 26 | + |
| 27 | +using var stream = entry.Open(); |
| 28 | + |
| 29 | +// Data read without any validation of its integrity. |
| 30 | +byte[] buffer = new byte[entry.Length]; |
| 31 | +stream.ReadExactly(buffer); |
| 32 | +``` |
| 33 | + |
| 34 | +## New behavior |
| 35 | + |
| 36 | +Starting in .NET 11, the library verifies the integrity of ZIP entries during read operations. If the computed CRC32 checksum doesn't match the expected value from the ZIP file's metadata, an <xref:System.IO.InvalidDataException> is thrown. |
| 37 | + |
| 38 | +## Type of breaking change |
| 39 | + |
| 40 | +This change is a [behavioral change](../../categories.md#behavioral-change). |
| 41 | + |
| 42 | +## Reason for change |
| 43 | + |
| 44 | +This change improves the reliability and security of `System.IO.Compression`. By validating CRC32 checksums, the library detects and prevents use of corrupted or tampered ZIP entries, ensuring applications don't inadvertently process invalid data. For more information, see [dotnet/runtime#124766](https://github.com/dotnet/runtime/pull/124766). |
| 45 | + |
| 46 | +## Recommended action |
| 47 | + |
| 48 | +If your application processes ZIP files that might be corrupted or tampered with, handle <xref:System.IO.InvalidDataException> appropriately: |
| 49 | + |
| 50 | +```csharp |
| 51 | +try |
| 52 | +{ |
| 53 | + using var archive = ZipFile.OpenRead("corrupted.zip"); |
| 54 | + var entry = archive.GetEntry("file.txt") |
| 55 | + ?? throw new FileNotFoundException("Entry 'file.txt' not found in archive."); |
| 56 | + |
| 57 | + using var stream = entry.Open(); |
| 58 | + |
| 59 | + byte[] buffer = new byte[entry.Length]; |
| 60 | + stream.ReadExactly(buffer); |
| 61 | +} |
| 62 | +catch (InvalidDataException ex) |
| 63 | +{ |
| 64 | + Console.WriteLine($"Error reading ZIP entry: {ex.Message}"); |
| 65 | +} |
| 66 | +``` |
| 67 | + |
| 68 | +## Affected APIs |
| 69 | + |
| 70 | +- <xref:System.IO.Compression.ZipArchiveEntry.Open?displayProperty=fullName> |
0 commit comments