MEDIUM 4.3

CVE-2026-48092: 7-Zip 32-Bit Heap Memory Disclosure via SquashFS Integer Overflow

7-Zip versions 9.34 through 26.00 contain a flaw in how they process SquashFS archive files that can leak sensitive data from memory when extracting files. The vulnerability exists only in 32-bit builds of 7-Zip and requires an attacker to craft a malicious archive with specially modified metadata. When a user extracts such an archive, heap memory contents that should remain private are instead written into the extracted file, potentially exposing passwords, encryption keys, or other sensitive information stored in memory. The issue stems from integer arithmetic wrapping that bypasses safety checks. Users on 64-bit systems are not affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Weaknesses (CWE)
CWE-125
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-48092 is a heap memory disclosure vulnerability in the SquashFS fragment handling code of 7-Zip. The ReadBlock function in 32-bit builds performs arithmetic on a 32-bit integer (offsetInBlock + blockSize) without verifying that the result remains within valid bounds. When an attacker-controlled SquashFS node specifies an offset that triggers integer overflow modulo 2³², the result wraps to a small value, bypassing the subsequent fragment bounds validation check. This allows a memcpy operation to read beyond the intended cache buffer and into adjacent heap memory, which is then copied into the extracted file. On 64-bit platforms, the same arithmetic is automatically promoted to 64-bit integers, preventing overflow and causing the validation to correctly reject the malicious input. The vulnerability affects all 32-bit builds from version 9.34 through version 26.00, inclusive.

Business impact

Organizations relying on 7-Zip to extract or decompress files as part of their workflows—especially those handling untrusted archives from external parties—face information disclosure risk. An attacker can craft a malicious SquashFS archive that leaks memory contents when extracted on a 32-bit system. This could expose API keys, session tokens, database credentials, or source code snippets resident in memory at extraction time. However, the impact is limited to memory fragments; attackers cannot directly execute code or modify files. The CVSS score of 4.3 reflects the low severity (memory disclosure without authentication requirement) tempered by the need for user interaction and the platform-specific nature (32-bit only).

Affected systems

The vulnerability affects all 32-bit builds of 7-Zip versions 9.34 through 26.00. This includes standalone 32-bit installations on Windows, Linux, and other platforms, as well as any applications or systems that bundle 7-Zip as a component and expose its archive extraction functionality to user-supplied files. 64-bit builds are not vulnerable. Organizations should audit their deployment environment to determine whether 32-bit 7-Zip binaries are in active use; many modern deployments default to 64-bit and may already be protected.

Exploitability

Exploitation is straightforward in concept but requires the victim to extract a malicious archive. An attacker must craft a SquashFS archive embedded within a 7-Zip file and control the fragment offset metadata to trigger integer overflow. No authentication or elevated privileges are required; the attacker simply provides the malicious archive for a user to extract. However, the attacker cannot predict what memory will be leaked—it depends on the heap state at the moment of extraction, making targeted exfiltration of specific secrets difficult. The vulnerability is not actively tracked in CISA's Known Exploited Vulnerabilities catalog, and no public exploit code is known at this time.

Remediation

Upgrade to 7-Zip version 26.01 or later, which includes a corrected bounds check that prevents the integer overflow. Users unable to upgrade immediately should restrict extraction of untrusted SquashFS archives to systems running 64-bit builds of 7-Zip, or use alternative archive tools. Consider implementing application-level policies to disable or warn on archive extraction from untrusted sources.

Patch guidance

The patch in version 26.01 addresses the integer overflow by enforcing proper validation of fragment offsets regardless of the architecture. When upgrading, verify that you download from the official 7-Zip project repository (https://www.7-zip.org) to ensure authenticity. Deployment teams should prioritize patching 32-bit installations. Test the update on non-production systems first to ensure compatibility with existing workflows. For enterprise environments, coordinate with asset management to identify all systems or applications that include 7-Zip and plan a staged rollout if necessary.

Detection guidance

Detection of active exploitation is challenging because the vulnerability requires observing the extraction of a specially crafted archive followed by inspection of the extracted file contents to confirm memory leakage. File integrity monitoring on 32-bit systems can flag unexpected data in extracted archives, but this generates noise without a baseline. Endpoint Detection and Response (EDR) tools may detect unusual heap memory access patterns during 7-Zip execution if they monitor system calls in detail, but this is platform and configuration dependent. Recommend conducting an asset inventory to locate all 32-bit 7-Zip deployments and prioritize their upgrade. Monitor update channels and vendor advisories for further guidance on detection methods as they become available.

Why prioritize this

While the CVSS score is moderate (4.3) and the vulnerability requires user interaction, organizations with 32-bit 7-Zip deployments handling untrusted archives should prioritize patching to reduce information disclosure risk. The fix is simple (upgrade to 26.01), the affected versions span many years of releases, and heap memory disclosure can expose credentials or secrets. However, this is not a critical remote code execution risk and can be managed through a planned patching cycle rather than emergency response.

Risk score, explained

CVSS 3.1 assigns a score of 4.3 (MEDIUM) because the vulnerability results in memory disclosure (confidentiality impact: LOW) but does not compromise integrity or availability. The attack vector is network-accessible (the attacker can distribute a malicious archive), access complexity is low, no privileges are required, and user interaction is required (the victim must extract the archive). The constraint to 32-bit builds and the unpredictability of leaked memory contents further limit practical impact compared to a more directed attack. Organizations should not ignore this score, but it does not warrant the same urgency as higher-severity findings.

Frequently asked questions

Are 64-bit users of 7-Zip affected?

No. The vulnerability only affects 32-bit builds. On 64-bit systems, the integer arithmetic is automatically promoted to 64 bits, preventing the overflow and causing the bounds check to function correctly. Users running 64-bit 7-Zip are not at risk.

Do I need to worry if I only extract archives from trusted sources?

Not significantly. The vulnerability requires a malicious archive crafted by an attacker. If your users extract only archives from sources you control or trust, your exposure is minimal. However, defense-in-depth recommends patching regardless.

What information could be leaked?

The vulnerability leaks whatever heap memory happens to be allocated near the extraction buffer at the time of extraction. This could include session tokens, API keys, private keys, or fragments of source code—but the attacker cannot predict or target specific data. The leaked content depends on the heap state and is uncontrolled.

Will updating 7-Zip break my workflows?

Version 26.01 is a patch release and should be drop-in compatible with existing configurations. However, test the update in a non-production environment first to confirm compatibility with your specific use cases and any third-party tools that rely on 7-Zip.

This analysis is based on vendor advisory data and the CVE record current as of the publication date. Severity ratings and remediation guidance may evolve as additional information becomes available. Organizations should verify patch availability and compatibility with their specific 7-Zip build and deployment architecture. This vulnerability was not publicly disclosed as an actively exploited threat at the time of analysis, but that status may change. Always consult the official 7-Zip project website and security advisories from your software supply chain before deploying patches in production environments. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).