HIGH 8.8

CVE-2026-48095: Critical Heap Overflow in 7-Zip NTFS Handler Enables Code Execution

7-Zip, the widely used file compression utility, contains a critical flaw in how it handles NTFS compressed disk images. When a specially crafted image is opened—even with an innocuous file extension—the application miscalculates memory buffer sizes, leading to a situation where attackers can write massive amounts of data into a tiny allocated space. This memory corruption can overwrite the application's internal control structures, giving attackers the ability to execute arbitrary code on the affected system. Versions 26.00 and earlier are vulnerable; version 26.01 and later have been patched.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-190, CWE-787
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability stems from an undefined behavior bug in CInStream::GetCuSize() within 7-Zip's NTFS handler. The function computes compression-unit buffer allocation as (UInt32)1 << (BlockSizeLog + CompressionUnit). When a malicious NTFS image specifies ClusterSizeLog >= 28 and CompressionUnit == 4, the shift exponent reaches 32 bits, triggering undefined behavior on x86/x64 architectures that causes the expression to evaluate to 1 instead of the intended large value. This results in _inBuf being allocated as a single byte. The subsequent ReadStream_FALSE operation then attempts to write up to 256 MB of attacker-controlled data into this 1-byte buffer in 64 KB chunks, corrupting adjacent heap structures. The CInStream object itself resides only 304 bytes away, allowing the overflow to corrupt its vtable pointer. On 64-bit systems, exploitation additionally requires successful allocation of an 8 GB _outBuf; if that allocation fails, the vulnerability degrades to denial of service rather than code execution. The NTFS handler is enabled by default and uses signature-based detection ("NTFS " at offset 3) that ignores file extensions, meaning any file with the correct magic bytes will be processed as an NTFS image during extraction or integrity testing.

Business impact

This vulnerability poses significant operational risk for organizations deploying 7-Zip, particularly in automated data extraction pipelines, archival systems, or user-facing applications that process untrusted archives. The ability to achieve arbitrary code execution means an attacker can gain the privileges of the user running 7-Zip—potentially escalating to system compromise if the process runs with elevated rights. Email-based distribution of malicious archives remains a primary attack vector. Organizations relying on 7-Zip for data handling, backup validation, or secure deletion workflows should treat this as a high-priority remediation target.

Affected systems

7-Zip versions 26.00 and prior are affected across all supported platforms. The default installation includes the vulnerable NTFS handler in 7z.dll. Both 32-bit and 64-bit builds are vulnerable, though exploitation mechanics differ: 32-bit builds unconditionally reach the overflow condition, while 64-bit builds require the 8 GB secondary allocation to succeed for code execution (otherwise failing to denial of service). Any system using the affected library—whether directly via the GUI, command-line tool, or embedded via the DLL in third-party applications—is at risk.

Exploitability

Exploitation requires only that a user (or automated process) opens a crafted NTFS disk image with 7-Zip. No authentication, special privileges, or complex user interaction beyond archive extraction is needed. The signature-based detection means the file extension is irrelevant; a .txt or .dat file containing the NTFS magic bytes will be interpreted as an NTFS image. Proof-of-concept crafting requires understanding of NTFS structures and heap layout to reliably corrupt the vtable, but the core vulnerability is straightforward. The attack surface is broad because file processing in enterprise environments often happens automatically or semi-automatically, with limited validation of file origin or content type.

Remediation

Update 7-Zip to version 26.01 or later, which corrects the undefined behavior in buffer allocation and prevents the heap overflow. Verify the update across all deployment points: standalone installations, embedded DLL instances in third-party software, and build integration scripts. For organizations unable to patch immediately, consider restricting 7-Zip's use to trusted, validated archives and disabling the NTFS handler if configuration options permit. Input validation—such as rejecting files with NTFS signatures unless explicitly expected—can reduce exposure while patches are deployed.

Patch guidance

Verify the release notes for 7-Zip 26.01 (available from the official 7-Zip project site) to confirm the fix addresses the GetCuSize undefined behavior. If 7-Zip is embedded in third-party applications, check each vendor's advisory separately, as patch availability and release cycles will vary. For enterprise deployments, test version 26.01 in a staging environment to ensure compatibility with existing archive formats and scripts before rolling out to production. Track not only standalone 7-Zip installations but also DLL-based integrations in other tools.

Detection guidance

Monitor for NTFS-formatted archives or disk images processed by 7-Zip, particularly those arriving via email or untrusted sources. Look for unusual 7-Zip process behavior—crashes with access violations, unexpected memory allocation patterns, or abnormal child process spawning following archive extraction. Endpoint Detection and Response (EDR) solutions should flag heap corruption attempts targeting 7-Zip. Log analysis of file sources combined with process monitoring can identify attempts to deliver malicious archives. Note that the vulnerability is triggered passively during extraction or testing, so behavioral anomalies may precede system compromise.

Why prioritize this

This vulnerability merits high-priority attention due to its combination of high CVSS score (8.8), straightforward exploitation mechanics, broad default exposure via the NTFS handler, and potential for code execution. The file-extension agnostic detection means attackers have flexibility in delivery, and the low user-interaction requirement increases risk in automated environments. Organizations with unpatched 7-Zip instances processing external archives face meaningful exposure to immediate compromise.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects remote exploitation over the network, no required privileges, low attack complexity, and high impact on confidentiality, integrity, and availability. While the exploit does require user interaction (opening a file), the low barrier to triggering that interaction—simply processing an archive—keeps the score elevated. The undefined behavior nature of the root cause and the proximity of overflowing data to exploitable structures (vtable) support the high severity rating.

Frequently asked questions

Can this vulnerability be exploited without user action?

Technically, exploitation requires a user or automated process to extract or test an archive containing the malicious NTFS image. However, in many enterprise environments where archive processing is routine and automated, the practical distinction is minimal. Attackers can deliver the payload via email, file-sharing services, or compromised web servers and rely on standard workflow to trigger extraction.

Does patching require a reboot?

No. A standard application update to 7-Zip 26.01 does not require a system reboot. However, any running instances of 7-Zip should be closed before updating to ensure the new version is loaded. For embedded DLL instances, the hosting application may need to be restarted.

What file types are at risk?

Any file with the NTFS signature bytes ("NTFS ") at offset 3 will trigger the NTFS handler, regardless of file extension or claimed format. This includes .iso files, disk image formats, and even mislabeled or polyglot files. Legitimate NTFS images and archives are not inherently dangerous; the risk arises from untrusted, adversary-crafted images.

If I only extract .zip and .7z files, am I safe?

Not necessarily. If your workflow involves extracting archives that may contain NTFS images, or if you use 7-Zip to test file integrity without restricting input types, you remain exposed. Additionally, third-party tools embedding 7-Zip may not filter input, so review your full dependency chain.

This analysis is based on the official CVE record and vendor advisories current as of the publication date. Attack techniques and mitigation effectiveness may evolve as the threat landscape changes. Organizations should verify patch applicability with their specific 7-Zip deployment and any embedded instances in third-party software. This information is provided for educational and defensive security purposes only. Always test patches in non-production environments before enterprise rollout. SEC.co makes no warranty regarding the completeness or accuracy of derived risk scores or recommendations; consult vendor security bulletins and your organization's risk management policies for definitive guidance. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).