CVE-2026-48103: 7-Zip WIM Handler Memory Read Vulnerability
7-Zip versions 9.34 through 26.00 contain a memory read vulnerability in the WIM (Windows Imaging Format) archive handler. When processing specially crafted WIM files, the software reads a small amount of data just beyond an allocated memory region due to an off-by-one error in bounds checking. This occurs automatically in the file manager when listing directory contents, requiring only that a user open or preview a malicious WIM file. The practical impact is limited to crashes or potential minor leaks of adjacent memory; no file corruption or system compromise is possible through this flaw alone.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in CHandler::GetSecurity within the WIM archive handler (CPP/7zip/Archive/Wim/WimHandler.cpp). The handler maintains a SecurOffsets table with numEntries + 1 cumulative offsets for security descriptor lookups. The bounds check permits securityId to equal numEntries; when this occurs, the code reads SecurOffsets[securityId + 1], accessing memory one UInt32 past the allocated heap buffer. The CRecordVector container performs no runtime bounds validation on operator[] access. The securityId value is derived from directory entry metadata at offset +0xC in WIM files, making it attacker-controlled. The GUI file manager (7zFM.exe) triggers the vulnerability zero-click during directory enumeration when it queries GetRawProp(kpidNtSecure) for display purposes. Command-line users can also trigger it via 7zz l -slt listing operations.
Business impact
For most organizations, the risk is denial of service—user-facing crashes when opening or previewing malicious WIM archives. This could disrupt workflows for system administrators or deployment engineers who routinely handle WIM images (common in Windows imaging and recovery scenarios). The vulnerability does not enable data theft, privilege escalation, or lateral movement. In environments using 7-Zip for archive validation or batch processing of untrusted WIM files, crash loops could require service restarts. The information disclosure component is negligible in practice, as leaked memory is consumed only as a numeric length and never exposed to the attacker.
Affected systems
7-Zip versions 9.34 through 26.00 are affected. The vulnerable WIM handler is registered for .wim, .swm, .esd, and .ppkg file types and is enabled by default in 7z.dll. Both the graphical file manager (7zFM.exe) and command-line tools (7zz, 7za) are susceptible. Any Windows system with 7-Zip installed that may encounter WIM files—particularly system administrators, deployment engineers, and IT personnel—should be considered at risk. Linux and macOS builds using the same codebase are also affected if they process WIM archives.
Exploitability
Exploitation requires only distributing a crafted WIM file to a target. No authentication, special privileges, or complex user interaction beyond opening the file is necessary; the GUI triggers the flaw automatically during normal directory listing. Network-based delivery (e-mail, file share, web download) is feasible. However, the impact is constrained: crashes occur under all allocators, but memory corruption is blocked by the OOB read-only nature and lack of subsequent write operations. Weaponizing this for remote code execution is not credible given the current code path. The CVSS 3.1 score of 4.3 (MEDIUM, AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L) appropriately reflects low-but-realistic availability risk with user interaction required.
Remediation
Update 7-Zip to a patched version released after 2026-06-05. Verify against the vendor advisory for the specific version number that corrects the bounds check in CHandler::GetSecurity. As an interim mitigation, disable automatic WIM file handling in the file manager settings if feasible, or instruct users to avoid opening WIM files from untrusted sources. For batch processing workflows, implement pre-scanning using a static WIM validator or updated 7-Zip release before processing archives from external sources.
Patch guidance
Monitor 7-Zip releases and vendor advisories for a corrected version following the 2026-06-17 modification date. The fix will tighten the bounds check to securityId > numEntries (or equivalent) to prevent the off-by-one condition. Apply patches to all systems where 7-Zip is installed, paying particular attention to administrative workstations, deployment servers, and help-desk machines that may handle WIM images. Test the patched version in a limited environment first to ensure compatibility with existing workflows before broad rollout.
Detection guidance
Monitor for 7-Zip crashes or abnormal termination events, particularly when user-initiated file manager operations coincide with WIM file access. On Windows, check Event Viewer for faults in 7zFM.exe or 7zz.exe processes. Endpoint Detection and Response (EDR) tools configured to alert on application crashes in security-sensitive tools may flag suspicious patterns. Network-based detection is difficult without file content inspection; focus on endpoint telemetry. If forensic logs are available, correlate user file-open operations on .wim, .swm, .esd, or .ppkg files with process termination. Proactive hunting: scan for outdated 7-Zip installations across the environment and prioritize patch deployment to hosts processing WIM files regularly.
Why prioritize this
Although the CVSS score is MEDIUM (4.3) and exploitability is straightforward, practical business impact is limited to availability disruption. Prioritize patching based on your organization's reliance on WIM processing (high for imaging/deployment teams, low for general office users). Systems in high-availability environments should be updated promptly to avoid unexpected crashes. Non-critical workstations can be patched on a standard maintenance schedule. Do not elevate urgency to critical unless your organization regularly handles WIM files from untrusted or external sources.
Risk score, explained
The CVSS 3.1 base score of 4.3 reflects: Network-accessible attack vector (AV:N); Low attack complexity, no special conditions (AC:L); No privileges required (PR:N); User interaction required—the user must open a file or listing (UI:R); Unchanged scope (S:U); No confidentiality impact (C:N); No integrity impact (I:N); and Low availability impact via denial of service (A:L). This scoring is appropriate because exploitation is trivial but consequences are confined to local process crashes without system-wide compromise or data exfiltration.
Frequently asked questions
Does this vulnerability allow remote code execution?
No. The out-of-bounds read is followed only by arithmetic operations on the leaked value (used as a length). There is no write primitive, no code execution path, and no mechanism to achieve RCE. Impact is limited to crashes or minor information leakage of adjacent heap memory.
Can this be exploited without user action?
In the GUI (7zFM.exe), the vulnerability triggers automatically during directory listing when the file manager queries security properties for display. However, a user must first open a folder containing or navigate to the malicious WIM file. Command-line exploitation requires the user to explicitly run a listing command. In both cases, user interaction (opening a file or running a command) is necessary.
Which file types are affected?
The WIM handler is registered for .wim, .swm, .esd, and .ppkg files by default. All are susceptible if they contain maliciously crafted directory entries with out-of-range securityId values at the specified metadata offset.
What should deployment teams prioritize?
Organizations that routinely handle WIM images for system deployment, imaging, or recovery should prioritize patching. Casual users who rarely open archive files face minimal risk. Focus on infrastructure automation, imaging servers, and administrative workstations first.
This analysis is provided for informational purposes. All patch version numbers and release dates must be verified against official 7-Zip vendor advisories and security bulletins before deployment. The CVSS score and vector are as published in the CVE record; organizations should apply their own risk assessment frameworks. No exploit code or weaponized proof-of-concept is provided or endorsed. Test patches in a non-production environment before broad rollout. This vulnerability may be updated as new information becomes available; consult upstream advisories regularly. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48092MEDIUM7-Zip 32-Bit Heap Memory Disclosure via SquashFS Integer Overflow
- CVE-2026-48104MEDIUM7-Zip SquashFS Uninitialized Memory Read (CVSS 4.2)
- CVE-2026-48111MEDIUM7-Zip UEFI Parser Out-of-Bounds Read (v9.21–26.00)
- CVE-2026-48112MEDIUM7-Zip Heap Out-of-Bounds Read in AR Archive Handler
- CVE-2026-48102LOW7-Zip UDF Heap Out-of-Bounds Read (v9.11–26.00)
- CVE-2025-70101MEDIUMlwext4 1.0.0 Out-of-Bounds Read Denial of Service
- CVE-2026-10305MEDIUMOut-of-Bounds Read in Samsung rlottie Animation Library
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability