MEDIUM 6.5

CVE-2026-48101: 7-Zip UEFI Capsule Memory Disclosure Vulnerability

7-Zip versions 9.21 through 26.00 contain a memory disclosure flaw in their UEFI capsule parser. When processing truncated or specially crafted .scap files, the application allocates a large heap buffer without clearing it first, then fails to verify that the file contents completely filled that buffer. Any unread portion of the buffer retains leftover data from previous memory allocations—potentially sensitive information—which then leaks to the user when the archive is extracted. This affects any organization or individual using affected 7-Zip versions to handle capsule files, and is fixed in version 26.0.1.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-908
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability exists in the OpenCapsule function within 7-Zip's UEFI capsule (.scap) parser. The function allocates a heap buffer up to 1 GiB in size based on an attacker-supplied CapsuleImageSize field, but does not initialize the memory to zero. The function then calls ReadStream_FALSE to populate this buffer with file contents; however, the return value—which indicates how many bytes were actually read—is discarded without checking. If a malicious or truncated .scap file provides fewer bytes than the declared capsule size, the trailing portion of the heap buffer remains uninitialized. When the parser later retrieves the buffer contents via GetStream, this uninitialized heap memory is exposed as part of the extracted file data. The memory may contain fragments of previously freed objects, stack data, or other sensitive heap allocations from the same process. This is classified as an uninitialized memory disclosure (CWE-908) with a CVSS 3.1 score of 6.5 (MEDIUM severity).

Business impact

The primary risk is information disclosure: an attacker can craft a malicious .scap file that, when extracted by a victim using a vulnerable 7-Zip version, causes heap memory to be leaked as file output. This memory may contain cryptographic keys, credentials, or other sensitive data resident in the process. For organizations that process firmware update capsules or handle untrusted archive content, this could facilitate credential theft or system compromise planning. End-user risk is lower if 7-Zip is used only with trusted archives, but the ease of exploitation and lack of user authentication requirements (CVSS AV:N, PR:N, UI:R) means wide deployment of vulnerable versions could enable opportunistic attacks. The MEDIUM severity reflects the confidentiality impact without direct code execution or availability loss.

Affected systems

7-Zip versions 9.21 through 26.00 are affected. The vulnerability resides specifically in the UEFI capsule (.scap) parser, so impact is limited to users or systems that extract .scap files. Version 26.0.1 and later versions after the fix eliminate the vulnerability. Organizations should verify their deployed 7-Zip version and check whether their workflows involve processing capsule files, particularly those from untrusted or external sources.

Exploitability

The vulnerability requires user interaction (UI:R)—a user must actively extract or open a malicious .scap file. However, the barrier to exploitation is low: an attacker simply crafts a truncated or undersized capsule file and distributes it via email, web download, or file sharing. No special privileges are required, and the attack is network-accessible. The CVSS vector (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N) indicates straightforward exploitation once a user processes the file. This is not listed in CISA's Known Exploited Vulnerabilities catalog, but the technical simplicity and public disclosure mean exploitation tools could emerge quickly.

Remediation

Upgrade to 7-Zip version 26.0.1 or later. Users and administrators should prioritize patching all deployed 7-Zip instances, especially on endpoints that handle archive files from external or untrusted sources. For organizations with restricted update timelines, consider disabling or removing 7-Zip from systems that do not require it, or restricting its use to trusted archives only. Until patched, assume that any .scap file processed by a vulnerable version may have caused information disclosure; treat any extracted content as potentially contaminated if the source is untrusted.

Patch guidance

Apply 7-Zip version 26.0.1 or a later patch release. Verify the version via the 7-Zip About dialog (Help > About) or by checking the executable version properties. After upgrade, perform a test extraction of a known .scap file to confirm normal operation. For enterprise deployments, coordinate patching through standard change management and test in a staging environment first. The fix is confirmed as addressing CWE-908 uninitialized memory, so version 26.0.1 will properly zero-initialize the heap buffer and validate ReadStream return values.

Detection guidance

Detection is challenging because the vulnerability produces no error messages or obvious failure modes—uninitialized memory is silently leaked. Monitor for unusual 7-Zip usage patterns, particularly extraction of .scap files from external sources. Endpoint telemetry should flag 7-Zip versions below 26.0.1 for priority patching. If memory forensics are available post-incident, examine heap dumps for fragments of sensitive data appearing in extracted file outputs. Network-level detection is difficult unless you can inspect archive traffic; focus detection efforts on the host-level inventory and version baseline.

Why prioritize this

Although severity is MEDIUM, prioritization depends on your organization's exposure. If your environment processes UEFI firmware updates, vendor-supplied capsules, or handles untrusted archives, this should be patched promptly because information disclosure could facilitate lateral movement or credential theft in a multi-stage attack. If 7-Zip is rarely used or only for personal use on trusted files, risk is lower but patching remains advisable given the simplicity of the attack. The lack of KEV status indicates this is not yet an active attack vector, providing a window to patch before threat actors weaponize it.

Risk score, explained

CVSS 3.1 score of 6.5 (MEDIUM) reflects confidentiality impact (C:H) with no integrity or availability consequences (I:N, A:N). The score is suppressed from HIGH because exploitation requires user interaction and has no attack prerequisites (AC:L). The MEDIUM rating is appropriate for information disclosure without direct system compromise; however, risk may be elevated in organizations where the disclosed memory could contain cryptographic material or authentication tokens. Use your organization's risk rating framework to adjust priority based on the sensitivity of data that may reside in 7-Zip process memory at the time of exploitation.

Frequently asked questions

Do I need to patch if I only use 7-Zip to extract .zip or .7z files, not .scap files?

The vulnerability is specific to the UEFI capsule (.scap) parser. If your workflows never involve .scap files, the immediate risk is lower. However, we still recommend upgrading to 26.0.1 or later for defense-in-depth, since .scap files could be received unexpectedly (e.g., mislabeled as .zip), and keeping software current is a security best practice.

Can an attacker remotely trigger this vulnerability, or does the user have to manually open a file?

User interaction is required—the user must extract or open the malicious .scap file, typically by dragging it into the 7-Zip interface or right-clicking and selecting extract. An attacker cannot trigger the vulnerability remotely just by sending the file; the user must actively process it. This limits the attack surface but does not eliminate risk, especially in organizations that handle untrusted archive content.

What kind of sensitive data could be leaked?

The vulnerability exposes uninitialized heap memory, which may contain fragments of previously allocated objects in the 7-Zip process. This could include encryption keys, passwords, temporary file buffers, or other data that was freed but not securely wiped. The exact content depends on what the process has previously allocated and freed. In the worst case, leaked data could aid further compromise, but the attacker cannot directly predict or control what will be in the buffer.

Is this vulnerability in the CISA Known Exploited Vulnerabilities list?

No, this vulnerability is not currently listed in CISA's KEV catalog, indicating it has not yet been reported as exploited in active attack campaigns. However, public disclosure and technical simplicity mean threat actors are likely to develop exploits. Do not use the absence of KEV status as a reason to delay patching.

This analysis is provided for informational purposes. Version numbers, CVSS scores, and CWE classifications are sourced from the official CVE record. Always verify patch availability and compatibility against the vendor's official advisory before deploying updates. SEC.co assumes no liability for decisions made based on this analysis. Consult your vendor's security guidance and your organization's risk management process for final patching decisions. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).