MEDIUM 4.2

CVE-2026-48104: 7-Zip SquashFS Uninitialized Memory Read (CVSS 4.2)

7-Zip versions 9.18 through 26.00 contain a memory safety bug in the SquashFS archive handler that can crash the application or leak heap information when processing a specially crafted archive file. The vulnerability stems from uninitialized memory left in an internal index structure; an attacker can craft a SquashFS archive that causes the handler to read from these uninitialized slots and potentially dereference invalid pointers during directory parsing. The issue is triggered automatically when you open the malicious file—no user interaction beyond that is required. The impact is limited to denial of service and potential information disclosure; the attacker cannot modify files or escalate privileges.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.2 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Weaknesses (CWE)
CWE-125, CWE-908
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The SquashFS handler in 7-Zip allocates a _blockToNode array with slots for every metadata block, but populates it only when an inode crosses a block boundary. A sparsely populated SquashFS image leaves most array slots uninitialized (the allocator does not zero-initialize heap memory). When OpenDir retrieves an attacker-controlled blockIndex value from the RootInode superblock field, it uses this value as a search key in the _nodesPos array. The binary search reads two uninitialized heap values as left and right bounds, dereferences the midpoint without validation, and if the dereferenced value matches the search key, returns an index to read a node struct from _nodes. This forms a chained out-of-bounds read primitive whose reliability depends on heap layout and the specific garbage values present, making it non-deterministic. CWE-125 (out-of-bounds read) and CWE-908 (use of uninitialized resource) are the root causes.

Business impact

This vulnerability primarily affects organizations and individuals who handle untrusted SquashFS archives—a format common in embedded systems, disk images, and Linux distributions. A malicious archive could cause 7-Zip to crash during routine file operations, disrupting workflows for users who rely on the tool for backup or forensic analysis. The potential for heap information disclosure poses a secondary risk if an attacker can repeatedly trigger the bug and observe crash details or error messages that leak memory layout information. However, the lack of a write primitive or privilege escalation path limits the overall threat; this is not a vector for malware installation or lateral movement.

Affected systems

7-Zip versions 9.18 through 26.00 are affected. This includes all major releases over a 17-year span (2009–2026). The SquashFS handler is enabled by default in stock 7z.dll, meaning all standard installations are vulnerable unless explicitly patched. Users of 7-Zip on Windows, Linux, macOS, and other platforms are equally at risk if they use the affected versions. Version 26.01 and later contain the fix.

Exploitability

Exploitation requires crafting a malicious SquashFS archive and convincing or tricking a user to open it with 7-Zip. The attack is triggered automatically upon file open (OpenDir), with no user action beyond that point. However, the out-of-bounds read is non-deterministic and heap-layout-dependent; the garbage values in the uninitialized array must align in a specific way to trigger a dereference, making reliable exploitation difficult. The CVSS score of 4.2 (Medium) reflects this constraint: the vector (AC:H) denotes high attack complexity due to the unpredictable nature of heap state. This is not a one-click worm or a reliable remote code execution vector; it is a memory safety bug that an attacker must trigger carefully and repeatedly to observe consistent behavior.

Remediation

Update 7-Zip to version 26.01 or later, which properly initializes the _blockToNode index and performs bounds checking during binary search. Users should prioritize this update if they regularly open archives from untrusted sources or as part of a forensic or file-handling workflow. Organizations that rely on 7-Zip for critical backup or archival operations should test the update in a non-production environment before broad deployment to ensure compatibility with existing workflows.

Patch guidance

Upgrade to 7-Zip version 26.01 or later. The patch fixes the uninitialized memory issue by zero-initializing the _blockToNode heap allocation and adding bounds validation to the binary search logic over _nodesPos. Verify the update from the official 7-Zip website (7-zip.org) and confirm the version number post-installation. For enterprise deployments, consider using a software deployment tool to roll out the update across client systems. No workarounds are available for older versions; patching is the only mitigation.

Detection guidance

Monitor for crashes or abnormal termination of 7-Zip processes when handling archives, particularly those sourced from external or untrusted origins. Implement a policy to scan or sandbox SquashFS archives before opening them with user-facing tools. Check for the presence of 7-Zip version 26.00 or earlier in your software inventory using endpoint detection or asset management tools. Consider alerting on attempts to open suspicious or malformed SquashFS files by monitoring file access patterns and application logs. Network-based detection is not applicable since the vulnerability is triggered locally during file parsing.

Why prioritize this

Although the CVSS score is Medium (4.2), this vulnerability merits prompt attention because it affects a widely deployed, user-facing utility and requires only file delivery to trigger. The SquashFS format is increasingly common in container images and Linux distributions, expanding the surface area for malicious archive delivery. The non-deterministic nature of the bug does not eliminate the risk—repeated attacks or targeted heap spray techniques could increase reliability in specific environments. Prioritize patching systems that handle externally sourced archives, forensic images, or Linux-based software builds. Organizations with mature patch management should treat this as a standard monthly update; those handling high-risk file sources should expedite deployment.

Risk score, explained

The CVSS 3.1 score of 4.2 reflects a Medium-severity vulnerability with low direct impact (information disclosure and denial of service only) tempered by high attack complexity (heap layout dependency). The vector AV:N (network-accessible) accounts for archive delivery over the network; AC:H (high complexity) penalizes the unreliability of heap-dependent exploitation; PR:N/UI:R indicate no privileges required but user interaction (file opening) is necessary; S:U/C:L/I:N/A:L cap the damage at confidentiality and availability loss with no integrity impact. The score does not account for the prevalence of 7-Zip or the growing use of SquashFS in software supply chains, which elevate real-world risk beyond the numerical score.

Frequently asked questions

Can this vulnerability be exploited remotely without user action?

No. While the archive can be delivered over the network, exploitation requires a user to open the file with 7-Zip. There is no automatic trigger, no network listening component, and no privilege escalation. An attacker must convince or socially engineer a user into opening a malicious SquashFS archive.

Does the vulnerability allow arbitrary code execution?

No. The uninitialized read and potential dereference can cause the application to crash or leak small amounts of heap memory, but there is no write primitive, return-oriented programming (ROP) gadget chain, or code execution capability. This is strictly a denial of service and information disclosure issue.

Are users of other archive formats (ZIP, RAR, 7z) at risk?

This vulnerability is specific to the SquashFS handler. ZIP, RAR, and standard 7z archives do not trigger this bug. However, users who receive SquashFS-formatted files or disk images should ensure they are using 7-Zip 26.01 or later before opening untrusted files in these formats.

What should I do if I cannot patch immediately?

Avoid opening SquashFS archives from untrusted or external sources until you can update. If handling such files is unavoidable, do so in an isolated environment (virtual machine, sandboxed system) without network access. Additionally, validate the integrity and source of archives using cryptographic signatures where available before processing them with 7-Zip.

This analysis is based on publicly disclosed vulnerability information and vendor advisories current as of the publication date. The vulnerability details, affected versions, and patch information reflect the vendor's statement; verify against the official 7-Zip release notes and security advisories before deploying patches in production. Exploitation reliability, real-world attack prevalence, and impact may vary depending on specific 7-Zip build configuration, operating system, heap allocator behavior, and attacker sophistication. This intelligence is provided for defensive purposes only and does not constitute permission to test, probe, or exploit systems without explicit authorization. Consult your organization's security policy, legal counsel, and vendor documentation before implementing any remediation or detection measures. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).