Critical Memory Safety Vulnerabilities Discovered in 7-Zip: From Data Leaks to Remote Code Execution
A series of sophisticated memory safety vulnerabilities has been identified in 7-Zip version 26.00 and earlier, creating a significant security risk for both individual users and enterprise environments. These flaws, discovered by the GitHub Security Lab, range from sensitive information disclosure to high-impact remote code execution (RCE).
The most alarming discovery is a critical heap buffer overflow within the NTFS archive handler, documented as GHSL-2026-140 (CVE-2026-48095). This is accompanied by a cluster of memory access violations (GHSL-2026-115 through GHSL-2026-122) affecting several other archive formats.
Deep Dive: The NTFS Heap Overflow (CVE-2026-48095)
The primary threat stems from a logic error during the calculation of the NTFS compression unit buffer size. Specifically, the handler utilizes a 32-bit shift operation that results in undefined behavior. This mathematical oversight allows an attacker to manipulate the allocation logic of the application.
By engineering a malicious NTFS image with specifically tuned cluster sizes and compression units, an attacker can trick 7-Zip into allocating a minuscule 1-byte input buffer. However, during the subsequent decompression phase, the application attempts to write up to 256 MB of attacker-controlled data into that tiny memory space. This massive overflow allows the attacker to overwrite adjacent memory structures, most notably a stream object’s vtable pointer. By hijacking this pointer, a subsequent read call can be redirected to a malicious payload, granting the attacker the ability to execute arbitrary code within the context of the 7-Zip process.
Notably, because 7-Zip employs signature-based auto-detection to identify file formats, an attacker does not need to use a specific “.ntfs” extension. Any file containing an NTFS signature—even if it carries a benign extension like “.zip” or “.txt”—can be routed to the vulnerable code path, making this a highly effective vector for phishing.
Secondary Vulnerabilities: Memory Disclosure and Integer Overflows
Beyond the RCE threat, a group of vulnerabilities affects various other handlers, including SquashFS, UEFI capsules, UDF, and WIM formats. These issues generally fall into three categories: out-of-bounds reads, integer overflows, and the utilization of uninitialized heap memory.
- SquashFS Integer Overflow: A 32-bit integer overflow in the SquashFS handler allows a crafted fragment offset to bypass established boundary checks. This enables an attacker to read data preceding the intended heap buffer, effectively leaking internal process memory into the extracted file.
- UEFI Capsule Data Leak: The parser for UEFI capsules (.scap) is susceptible to a massive data leak. If a capsule image is intentionally truncated, the parser may extract up to 1 GiB of uninitialized heap memory. This is particularly dangerous as it could expose sensitive “leftover” data from previous operations, such as decrypted passwords or session tokens.
More details on these secondary flaws can be found in the GitHub Security Lab advisory.
Mitigation and Remediation
The security implications of these bugs are widespread due to 7-Zip’s ubiquity. The NTFS overflow has been assigned a CVSS v3.1 score of 8.8 (High), reflecting the ease with which it can be exploited with minimal user interaction.
Immediate Action Required:
The maintainer addressed these vulnerabilities in 7-Zip version 26.01, released on April 27, 2026. All users and system administrators should prioritize upgrading to this version or later immediately via the official 7-Zip.org website.
Defensive Strategies for Organizations:
- Vulnerability Scanning: Update endpoint management tools to identify any legacy installations of 7-Zip version 26.00 or older.
- Attack Surface Reduction: In high-security environments where rapid patching is delayed, consider restricting 7-Zip usage or implementing strict controls on the handling of untrusted NTFS, SquashFS, and UEFI capsule files.
- Monitoring: Watch for anomalous behavior in extracted files. Since several of these bugs facilitate “in-band” data exfiltration (where the leaked data is written directly into the output file), unexpected file contents can serve as a primary indicator of compromise (IoC).