CVE-2026-48112: 7-Zip Heap Out-of-Bounds Read in AR Archive Handler
7-Zip versions 9.18 through 26.00 contain a memory safety defect in their handler for Unix ar archives—specifically when parsing BSD-style symbol tables. The flaw allows an attacker to craft a malicious ar archive that, when opened by 7-Zip, causes the parser to read 4 bytes of uninitialized heap memory beyond the intended buffer boundary. This disclosure of uninitialized data could leak sensitive information from the process memory. The vulnerability requires user interaction: a victim must open the malicious archive file. Version 26.01 resolves the issue.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 6.5 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-125, CWE-190
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-05 / 2026-06-17
NVD description (verbatim)
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The ParseLibSymbols function in 7-Zip's ar archive handler contains a heap out-of-bounds read (CWE-125). When parsing a BSD SYMDEF symbol table, the function retrieves a 32-bit namesSize field via a Get32 call at an offset that can equal or exceed the buffer size, resulting in a 4-byte read past the heap allocation boundary. Under typical memory allocators, this reads uninitialized heap data rather than crashing immediately. The integer handling (CWE-190) contributes to the boundary condition. This is a read-only violation; no memory corruption or code execution occurs.
Business impact
This vulnerability poses a confidentiality risk to users who extract or preview ar archives from untrusted sources. Leaked heap memory could contain sensitive application state, cached credentials, or other process data. Organizations that rely on 7-Zip for secure handling of archived source code, software packages, or sensitive documents should treat this as a data leakage concern. The impact is localized to the 7-Zip process and does not enable lateral movement or system compromise.
Affected systems
7-Zip versions 9.18 through 26.00 are affected. Version 26.01 and later contain the patch. Systems running older or unpatched 7-Zip installations are vulnerable. The defect exists in the Unix ar archive parser, so it affects all platforms on which 7-Zip is compiled with ar handler support, including Windows, macOS, and Linux.
Exploitability
Exploitation requires crafting a specially formatted ar archive with a malicious BSD SYMDEF symbol table and delivering it to a user. The user must then open or extract the archive in 7-Zip. There is no network exploitation vector; this is file-based. The required user interaction (opening a file) and the need to construct a valid ar structure moderately raise the barrier, but well-formed payloads are feasible for an attacker with archive format knowledge. The vulnerability does not appear on the KEV catalog, indicating no known active exploitation in the wild as of publication.
Remediation
Update 7-Zip to version 26.01 or later. For organizations unable to patch immediately, implement file-type controls: disable or restrict 7-Zip's ability to open ar archives from untrusted sources, or use alternate archival tools for sensitive workflows. Consider user training to avoid opening archive files from unknown origins. Monitor for signs of suspicious memory leaks or crashes when 7-Zip processes archives.
Patch guidance
Upgrade to 7-Zip version 26.01 or any subsequent release. Verify the version in your deployment by checking Help > About or the version string in automated inventory tools. Test the patch in a non-production environment first to ensure compatibility with your archive workflows. For containerized or managed deployments, rebuild images with the patched 7-Zip binary. No configuration changes are required post-patch; the fix is transparent.
Detection guidance
Monitor process heap behavior and memory access patterns when 7-Zip opens ar archives. Tools like AddressSanitizer or Valgrind can detect the out-of-bounds read during testing. In production, watch for unexpected process termination or memory errors in 7-Zip logs. Network-based detection is not applicable; file integrity monitoring on archive repositories and access logs for ar files can help identify suspicious activity. Endpoint detection and response (EDR) systems may flag abnormal memory access patterns if configured to monitor application heap operations.
Why prioritize this
This vulnerability merits prompt but not emergency patching. The CVSS score of 6.5 (Medium severity) reflects the confidentiality impact and the requirement for user action. It does not enable code execution or privilege escalation. Prioritize patching in environments where 7-Zip frequently processes archives from external or untrusted sources—such as development teams, security researchers, or content analysis pipelines. Organizations whose 7-Zip usage is limited to internal, vetted archives face lower risk and can schedule updates in normal maintenance windows.
Risk score, explained
The CVSS 3.1 score of 6.5 (Medium) is justified by: (1) high confidentiality impact (C:H)—uninitialized heap disclosure can leak sensitive data; (2) no integrity or availability impact—the read is out-of-bounds but does not corrupt memory or crash the application; (3) network-accessible attack vector (AV:N)—the archive can be delivered remotely; (4) low attack complexity (AC:L)—crafting a malicious ar file is straightforward; (5) no privileges required (PR:N); (6) required user interaction (UI:R)—the victim must open the file. The absence of scope change (S:U) caps the severity at Medium.
Frequently asked questions
Can this vulnerability lead to remote code execution or system compromise?
No. This is a read-only out-of-bounds access that discloses uninitialized heap memory. It does not corrupt memory, overwrite function pointers, or enable code execution. The impact is limited to information disclosure and is confined to the 7-Zip process.
Do I need to patch immediately if I run 7-Zip only on internal, trusted archives?
No. If your 7-Zip usage is restricted to archives you create or obtain from verified internal sources, your risk is very low. Patch during your normal maintenance cycle. Prioritize updates for systems that process archives from external, untrusted, or user-supplied sources.
How do I verify that 7-Zip has been patched on my system?
Check the version number in 7-Zip: go to Help > About (or run `7z --version` on the command line). Confirm it shows version 26.01 or later. If you use automated inventory tools or package managers, verify that they report the patched version.
Are there workarounds if I cannot patch right away?
Yes. Restrict 7-Zip from opening ar archives, use alternative archival tools, or configure your endpoint to block execution of 7-Zip on untrusted files. User education about not opening suspicious archive files is also effective. However, these are temporary measures; patching is the definitive fix.
This analysis is provided for informational purposes and represents the state of publicly available information as of the publication date. SEC.co does not conduct independent verification of vendor patches or exploitability claims. Organizations should verify all patch versions and compatibility against official 7-Zip release notes and security advisories before deployment. The absence of the vulnerability from the KEV catalog does not guarantee immunity from targeted exploitation. This document does not constitute legal or compliance advice; consult your security and compliance teams for integration into your patch management and risk assessment processes. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10999MEDIUMGoogle Chrome ANGLE Integer Overflow Information Disclosure
- CVE-2026-11299MEDIUMInteger Overflow in Google Chrome Font Processing (Medium Severity)
- CVE-2026-48092MEDIUM7-Zip 32-Bit Heap Memory Disclosure via SquashFS Integer Overflow
- CVE-2026-48103MEDIUM7-Zip WIM Handler Memory Read Vulnerability
- CVE-2026-48104MEDIUM7-Zip SquashFS Uninitialized Memory Read (CVSS 4.2)
- CVE-2026-48111MEDIUM7-Zip UEFI Parser Out-of-Bounds Read (v9.21–26.00)
- CVE-2026-48095HIGHCritical Heap Overflow in 7-Zip NTFS Handler Enables Code Execution
- CVE-2026-48102LOW7-Zip UDF Heap Out-of-Bounds Read (v9.11–26.00)