CVE-2026-48102: 7-Zip UDF Heap Out-of-Bounds Read (v9.11–26.00)
7-Zip versions 9.11 through 26.00 contain a flaw in how they parse UDF (Universal Disk Format) disc images—used in .iso and .udf files. When processing certain malformed UDF file structures, the parser reads 1 to 3 bytes beyond the allocated memory buffer. This out-of-bounds read occurs during the file open operation and can reveal small amounts of memory content or cause the application to crash. The vulnerability requires user interaction (opening a crafted archive) and affects only information disclosure and stability, not file integrity or system compromise.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 3.1 LOW · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + impLen and advancing processed to 38 + impLen + idLen, the alignment-padding loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary, and the processed <= size bounds check only runs after the loop. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size). The UDF handler is registered for .iso and .udf files and auto-detected by signature, and the OOB read triggers during Open() when listing or extracting a crafted UDF image. Impact is limited to information disclosure (a 1-bit oracle per OOB byte via open/fail behavior) and denial of service (crash under hardened allocators); there is no write primitive. Version 26.01 fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in CFileId::Parse within 7zip/Archive/Udf/UdfIn.cpp. After validating that the combined size of identifier and implementation use fields plus a fixed 38-byte header fits within the buffer (size < 38 + idLen + impLen), the code advances a processing pointer and then enters an alignment-padding loop to reach a 4-byte boundary. The loop reads p[processed] while incrementing up to 3 times, but the bounds check (processed <= size) only executes after the loop completes. When the alignment requirement causes overflow—specifically when (38 + impLen + idLen) % 4 != 0 and the calculated offset equals the buffer size—1 to 3 bytes are read past the heap-allocated buffer boundary. The OOB read is triggered during Open() when the UDF handler processes the File Identifier Descriptor of a crafted disc image.
Business impact
Impact is contained to information disclosure and availability. The out-of-bounds read may leak 1 to 3 bytes of heap memory per successful trigger, though practical exploitation as an oracle is constrained by the need to infer leaked data through open/fail behavior. More immediately, the crash risk under memory-hardened allocators (ASAN, valgrind, or Windows guard pages) could disrupt workflows in environments processing untrusted archives. Organizations routinely using 7-Zip to extract or preview ISO/UDF files should prioritize patching to eliminate denial-of-service vectors and reduce information leakage risk in high-security contexts.
Affected systems
7-Zip versions 9.11 through 26.00 are affected. The vulnerability manifests when the UDF handler processes .iso or .udf files; the handler is auto-registered and auto-detected by file signature, so it triggers on any matching disc image regardless of file extension. The flaw impacts all platforms where 7-Zip is deployed (Windows, Linux, macOS). End-users and administrators distributing 7-Zip as a utility for archive inspection are at risk if they process untrusted archives.
Exploitability
Exploitation requires user interaction—a victim must open or list the contents of a crafted UDF disc image using 7-Zip (or an integrated tool that invokes the library). The CVSS vector AV:N/AC:H/UI:R reflects that attack complexity is high and user interaction mandatory. An attacker cannot remotely trigger the flaw without social engineering or distribution of malicious archives. The lack of a write primitive means attackers cannot corrupt data or escalate privilege; leakage is limited to reading nearby heap contents via repeated crafted archives and behavioral observation, and crashes are denial-of-service only.
Remediation
Upgrade to 7-Zip version 26.01 or later, which addresses the bounds-check sequencing flaw. The fix ensures the alignment-padding loop cannot read past the buffer boundary. Administrators should push this update through their software distribution channels. Interim mitigation for users unable to patch immediately: restrict processing of 7-Zip on untrusted or unsolicited ISO/UDF files, and disable auto-detection of the UDF handler if the tool configuration permits. Monitor systems using 7-Zip for unexpected crashes when opening archives.
Patch guidance
Apply 7-Zip version 26.01 or newer. Verify the update in Software > 7-Zip (or equivalent inventory) and confirm the version string post-deployment. No configuration changes are required after patching. If your environment uses 7-Zip as a library (embedded in third-party tools), verify that the hosting application has been updated to bundle the patched 7-Zip release; check vendor advisories for dependent products.
Detection guidance
Monitor for crashes or errors in 7-Zip processes, particularly when handling .iso or .udf files. Under Windows, watch for 'Unhandled Exception' or 'Buffer Overrun' messages in Event Viewer. On Unix-like systems, check syslog for segmentation faults associated with 7z or 7za binaries. Intrusion detection rules specific to this CVE are unlikely to surface quickly; instead, focus on monitoring process termination and stderr output when opening untrusted archives. Network-based detection is impractical (the trigger is local file parsing), but you may flag inbound transmission of suspicious .iso files in high-control environments.
Why prioritize this
Despite the LOW CVSS score (3.1), patch promptly because: (1) the vulnerability is universal across 7-Zip versions for nearly two decades, creating broad exposure; (2) crash risk is direct and reproducible in hardened environments; (3) the fix is simple, non-breaking, and available; (4) no active in-the-wild exploitation is known, making this a controlled, low-urgency upgrade window. Prioritize organizations processing untrusted archives or running 7-Zip in security-critical workflows (malware analysis labs, digital forensics tools).
Risk score, explained
The CVSS 3.1 score of 3.1 (LOW) reflects limited impact: confidentiality is slightly compromised (C:L), integrity and availability are unaffected in the vector (I:N/A:N). Attack complexity is high (AC:H) due to the precise buffer-alignment condition required, and user interaction is mandatory (UI:R). Network accessibility is present (AV:N) because archives can be delivered remotely, but the flaw is triggered only on local file parsing. The score does not weight the broad version range or frequency of 7-Zip usage; practitioners should weigh organizational exposure (how often untrusted archives are processed) separately.
Frequently asked questions
Can an attacker exploit this remotely without user interaction?
No. An attacker must craft a malicious UDF disc image and trick or socially engineer a user into opening it with 7-Zip. The vulnerability does not execute during file download or passive inspection; it triggers only when the archive is explicitly opened or listed.
What can an attacker learn from the out-of-bounds read?
At most, 3 bytes of adjacent heap memory are readable per crafted image. Extracting meaningful secrets requires repeated attacks and careful behavioral observation (e.g., does the archive open or crash?), making the information disclosure risk low in practice. No cryptographic keys, passwords, or file contents are reliably leaked.
Does this affect 7-Zip GUI and command-line tools equally?
Yes. Both 7zFM (GUI) and 7z/7za (CLI) use the same underlying library code. Any application invoking the 7-Zip library for UDF handling is affected until patched.
Is version 26.00 safe, or must I upgrade to 26.01 specifically?
Version 26.00 is vulnerable. You must upgrade to 26.01 or later. Verify the exact version after patching using 7z --version (CLI) or Help > About (GUI).
This analysis is for informational purposes and reflects the state of CVE-2026-48102 as of the published date. Readers should verify patch availability and applicability in their own environments and consult official 7-Zip release notes and vendor advisories before deploying patches. SEC.co makes no warranty regarding the accuracy, completeness, or fitness of this content for any particular use. Always test patches in non-production environments first. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48092MEDIUM7-Zip 32-Bit Heap Memory Disclosure via SquashFS Integer Overflow
- CVE-2026-48103MEDIUM7-Zip WIM Handler Memory Read Vulnerability
- CVE-2026-48104MEDIUM7-Zip SquashFS Uninitialized Memory Read (CVSS 4.2)
- CVE-2026-48111MEDIUM7-Zip UEFI Parser Out-of-Bounds Read (v9.21–26.00)
- CVE-2026-48112MEDIUM7-Zip Heap Out-of-Bounds Read in AR Archive Handler
- CVE-2026-10233LOWOut-of-Bounds Read in Assimp Half-Life MDL Loader
- CVE-2026-10267LOWOut-of-Bounds Read in Janet Language Debug Frame Handling
- CVE-2026-45613LOWRizin Heap Buffer Over-Read in OMF File Parser