By vendor
7-Zip vulnerabilities
Known CVEs affecting 7-Zip products, prioritized by severity, with SEC.co remediation and detection guidance.
8 published vulnerabilities
- CVE-2026-48095HIGH 8.8
7-Zip, the widely used file compression utility, contains a critical flaw in how it handles NTFS compressed disk images. When a specially crafted image is opened—even with an innocuous file extension—the application miscalculates memory buffer sizes, leading to a situation where attackers can write massive amounts of data into a tiny allocated space. This memory corruption can overwrite the application's internal control structures, giving attackers the ability to execute arbitrary code on the affected system. Versions 26.00 and earlier are vulnerable; version 26.01 and later have been patched.
- CVE-2026-48101MEDIUM 6.5
7-Zip versions 9.21 through 26.00 contain a memory disclosure flaw in their UEFI capsule parser. When processing truncated or specially crafted .scap files, the application allocates a large heap buffer without clearing it first, then fails to verify that the file contents completely filled that buffer. Any unread portion of the buffer retains leftover data from previous memory allocations—potentially sensitive information—which then leaks to the user when the archive is extracted. This affects any organization or individual using affected 7-Zip versions to handle capsule files, and is fixed in version 26.0.1.
- CVE-2026-48112MEDIUM 6.5
7-Zip versions 9.18 through 26.00 contain a memory safety defect in their handler for Unix ar archives—specifically when parsing BSD-style symbol tables. The flaw allows an attacker to craft a malicious ar archive that, when opened by 7-Zip, causes the parser to read 4 bytes of uninitialized heap memory beyond the intended buffer boundary. This disclosure of uninitialized data could leak sensitive information from the process memory. The vulnerability requires user interaction: a victim must open the malicious archive file. Version 26.01 resolves the issue.
- CVE-2026-48092MEDIUM 4.3
7-Zip versions 9.34 through 26.00 contain a flaw in how they process SquashFS archive files that can leak sensitive data from memory when extracting files. The vulnerability exists only in 32-bit builds of 7-Zip and requires an attacker to craft a malicious archive with specially modified metadata. When a user extracts such an archive, heap memory contents that should remain private are instead written into the extracted file, potentially exposing passwords, encryption keys, or other sensitive information stored in memory. The issue stems from integer arithmetic wrapping that bypasses safety checks. Users on 64-bit systems are not affected.
- CVE-2026-48103MEDIUM 4.3
7-Zip versions 9.34 through 26.00 contain a memory read vulnerability in the WIM (Windows Imaging Format) archive handler. When processing specially crafted WIM files, the software reads a small amount of data just beyond an allocated memory region due to an off-by-one error in bounds checking. This occurs automatically in the file manager when listing directory contents, requiring only that a user open or preview a malicious WIM file. The practical impact is limited to crashes or potential minor leaks of adjacent memory; no file corruption or system compromise is possible through this flaw alone.
- CVE-2026-48111MEDIUM 4.3
7-Zip versions 9.21 through 26.00 contain a boundary-checking flaw in their UEFI firmware image parser. When processing certain archive sections, the parser uses an incorrect comparison operator that allows a malicious opcode value to read data beyond an array's bounds. This can either crash the application when the out-of-bounds memory is invalid, or leak small amounts of adjacent string data into the archive's metadata. The flaw is triggered automatically when opening a specially crafted archive file, but the leaked information is limited and does not expose sensitive data or memory layout information.
- CVE-2026-48104MEDIUM 4.2
7-Zip versions 9.18 through 26.00 contain a memory safety bug in the SquashFS archive handler that can crash the application or leak heap information when processing a specially crafted archive file. The vulnerability stems from uninitialized memory left in an internal index structure; an attacker can craft a SquashFS archive that causes the handler to read from these uninitialized slots and potentially dereference invalid pointers during directory parsing. The issue is triggered automatically when you open the malicious file—no user interaction beyond that is required. The impact is limited to denial of service and potential information disclosure; the attacker cannot modify files or escalate privileges.
- CVE-2026-48102LOW 3.1
7-Zip versions 9.11 through 26.00 contain a flaw in how they parse UDF (Universal Disk Format) disc images—used in .iso and .udf files. When processing certain malformed UDF file structures, the parser reads 1 to 3 bytes beyond the allocated memory buffer. This out-of-bounds read occurs during the file open operation and can reveal small amounts of memory content or cause the application to crash. The vulnerability requires user interaction (opening a crafted archive) and affects only information disclosure and stability, not file integrity or system compromise.