CVE-2026-48111: 7-Zip UEFI Parser Out-of-Bounds Read (v9.21–26.00)
7-Zip versions 9.21 through 26.00 contain a boundary-checking flaw in their UEFI firmware image parser. When processing certain archive sections, the parser uses an incorrect comparison operator that allows a malicious opcode value to read data beyond an array's bounds. This can either crash the application when the out-of-bounds memory is invalid, or leak small amounts of adjacent string data into the archive's metadata. The flaw is triggered automatically when opening a specially crafted archive file, but the leaked information is limited and does not expose sensitive data or memory layout information.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
- Weaknesses (CWE)
- CWE-125
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the ParseDepedencyExpression function (CPP/7zip/Archive/UefiHandler.cpp) of 7-Zip's UEFI firmware image parser. The function validates an attacker-controlled opcode byte against a 10-entry static array (kExpressionCommands) using a > comparison instead of >=, permitting an opcode value of 10 to bypass validation. This causes the function to read one pointer slot (8 bytes on 64-bit systems) past the array's boundary in read-only data. The out-of-bounds pointer is then dereferenced as a const char*, and the resulting string is processed through strlen and memcpy into the archive's Characts property. The vulnerability is reached via the IInArchive::Open() call path (OpenFv/OpenCapsule → ParseVolume → ParseSections) when the UEFI handler encounters a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first byte is 0x0A. The UEFI handler is enabled by default in stock 7z.dll and detects both UEFIc and UEFIf formats automatically. The outcome is deterministic but linker-layout dependent—either an access violation (denial of service) or silent disclosure of an adjacent read-only string literal. No write primitive, heap disclosure, secret exfiltration, or ASLR base leak is possible.
Business impact
For organizations that use 7-Zip to process untrusted archive files—particularly firmware updates, OEM appliance images, or UEFI capsule archives—this vulnerability poses a limited but real operational risk. A denial-of-service condition could disrupt batch processing or automated firmware validation workflows. The potential for information disclosure, while constrained to adjacent string literals in read-only memory, could theoretically aid reconnaissance in multi-stage attacks, though the leaked data is not cryptographic material, configuration secrets, or ASLR base addresses. Affected deployments should prioritize patching to eliminate both the crash vector and the information leak.
Affected systems
7-Zip versions 9.21 through 26.00 are vulnerable when the UEFI firmware image parser is invoked. This occurs by default in standard 7z.dll installations when processing archive files. The vulnerability is triggered only when parsing archives containing SECTION_DXE_DEPEX or SECTION_PEI_DEPEX sections with specific malformed content, making it relevant primarily to organizations that handle UEFI firmware images, BIOS updates, system firmware capsules, or similar binary archives. Version 26.01 and later contain the fix.
Exploitability
The vulnerability is mechanically exploitable—a specially crafted archive file will trigger the flaw automatically during normal file opening without requiring user interaction beyond launching 7-Zip. However, practical exploitation is narrowly scoped: the attacker must construct a valid UEFI firmware image structure with a malicious SECTION_DXE_DEPEX or SECTION_PEI_DEPEX section, and the outcome (crash versus silent leak) is deterministic per compiled binary but dependent on linker layout. The leaked information is restricted to adjacent string literals in read-only memory segments and does not include heap data, secrets, or address space layout information. The flaw does not provide code execution or write primitives. Exploitation is most feasible in scenarios where an attacker controls firmware updates or system image distribution.
Remediation
Upgrade 7-Zip to version 26.01 or later, which corrects the off-by-one comparison operator in the ParseDepedencyExpression function. If immediate patching is not feasible, consider disabling UEFI firmware image processing if your workflow permits (though this is not a standard configuration option and may require recompilation or third-party tools). Restrict archive processing to trusted sources and avoid opening UEFI firmware images or BIOS updates from untrusted vendors until patched.
Patch guidance
7-Zip version 26.01 resolves the vulnerability. Verify the installed version via Help > About or command-line (7z.exe). Download the latest stable release from the official 7-Zip website, not mirrors or secondary sources. For enterprise deployments, test the update in a staging environment with your standard firmware image workflows to confirm no behavioral changes. No known backwards-compatibility issues are reported; the patch modifies only the comparison logic.
Detection guidance
Monitor for 7-Zip crashes (access violations) when processing UEFI firmware archives, especially BIOS updates or OEM appliance images. Log any IInArchive::Open() failures in processes handling firmware binaries. Inspect incoming firmware updates for SECTION_DXE_DEPEX or SECTION_PEI_DEPEX sections with unusual first bytes (0x0A in particular), though this requires binary analysis tools. In centralized logging environments, correlate 7-Zip process terminations with firmware processing workflows. Note that successful silent information leaks into archive metadata may not trigger alerts; inspect the Characts properties of processed archives for unexpected string content if forensic analysis is warranted.
Why prioritize this
Although the CVSS score of 4.3 reflects low to medium severity, this vulnerability merits prompt attention for organizations handling firmware images because: (1) the attack surface is automatic—no special user interaction is required; (2) the flaw affects a widely deployed utility with default enabled UEFI parsing; (3) firmware supply chains are high-value targets, and information disclosure into metadata can support reconnaissance; (4) the fix is straightforward and low-risk. Organizations not processing UEFI firmware images can deprioritize but should still patch opportunistically.
Risk score, explained
The CVSS 3.1 score of 4.3 (MEDIUM) reflects: network-accessible vector (archives obtained remotely), low complexity (trivial to craft the payload), no authentication, user interaction required (opening the archive), no impact on confidentiality of primary data (only read-only string literals leak), no integrity impact, and limited availability impact (denial of service only in specific configurations). The score does not account for the narrow scope of affected workloads (UEFI firmware processing) or the deterministic nature of the flaw; for organizations in the firmware supply chain, contextual risk is higher than the generic score suggests.
Frequently asked questions
Can this vulnerability be exploited over a network without user interaction?
The archive file must be opened by a user or automated process (e.g., firmware validation script) for the vulnerability to trigger. There is no remote code execution or network-based instant compromise. However, if your organization automatically processes firmware updates or archives from external sources, the attack surface is effectively automatic once the file is in the pipeline.
What information can be disclosed, and is it sensitive?
The vulnerability leaks small amounts of adjacent read-only string literals from the .rdata section into the archive's Characts property. This is not cryptographic material, API keys, configuration secrets, or memory layout information (ASLR base, heap pointers). The disclosed strings are typically debug symbols or error message fragments and are of limited value except for reconnaissance in multi-stage attacks.
Do I need to patch immediately if I don't work with UEFI firmware images?
No. If your use of 7-Zip is limited to general-purpose file archiving (ZIP, 7Z, RAR, etc.), this vulnerability is not a threat to you. The flaw is specific to the UEFI firmware image parser and is triggered only by crafted UEFI capsule or firmware image files. However, it is good practice to patch opportunistically during your next update cycle.
Can the attacker achieve code execution or write files with this vulnerability?
No. The vulnerability permits only an out-of-bounds read of a single pointer value, which is dereferenced as a string. There is no write primitive, and the read is confined to read-only memory sections. Code execution is not possible.
This analysis is based on the published CVE description and CVSS vector as of the modification date. Verify all patch version numbers, affected product ranges, and vendor advisories against official 7-Zip release notes before implementing remediation. No exploit code is provided. Organizations should conduct their own risk assessment based on their specific use of 7-Zip and UEFI firmware processing workflows. This advisory is not a substitute for official vendor guidance or professional security assessment. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-48092MEDIUM7-Zip 32-Bit Heap Memory Disclosure via SquashFS Integer Overflow
- CVE-2026-48103MEDIUM7-Zip WIM Handler Memory Read Vulnerability
- CVE-2026-48104MEDIUM7-Zip SquashFS Uninitialized Memory Read (CVSS 4.2)
- CVE-2026-48112MEDIUM7-Zip Heap Out-of-Bounds Read in AR Archive Handler
- CVE-2026-48102LOW7-Zip UDF Heap Out-of-Bounds Read (v9.11–26.00)
- CVE-2025-70101MEDIUMlwext4 1.0.0 Out-of-Bounds Read Denial of Service
- CVE-2026-10305MEDIUMOut-of-Bounds Read in Samsung rlottie Animation Library
- CVE-2026-10979MEDIUMChrome ANGLE Out-of-Bounds Read Memory Disclosure Vulnerability