Upgrade Immediately: 7-Zip CVE-2026-48095 Enables Arbitrary Code Execution via NTFS Heap Overflow
- Linux Kernel Removes strncpy After Six Years and 362 Patches
- Linux Kernel Drops 40-Year-Old AppleTalk Protocol — AI-Generated Patch Flood Was the Last Straw
- Apple’s Native Linux Container Tool Has Arrived — But Can It Really Replace Docker?
- 60% of MD5 Password Hashes Can Be Cracked in Under an Hour with a Single GPU
- Dirty Frag: Root Access on Every Major Linux Distribution — No Patch, No Warning
Upgrade Immediately: 7-Zip CVE-2026-48095 Enables Arbitrary Code Execution via NTFS Heap Overflow
A heap buffer overflow in 7-Zip’s NTFS handler allows attackers to hijack virtual function tables and execute arbitrary code — triggered by opening a crafted file with any extension. All versions through 26.00 are affected. Patch is available.
Update 7-Zip to version 26.01 immediately. All versions through 26.00 are vulnerable. The patched release was made available on April 27, 2026. Do not open archive files from untrusted sources with an unpatched installation.
Overview
GitHub Security Lab researcher Jaroslav Lobačevski disclosed a critical heap buffer overflow vulnerability in 7-Zip on May 22, 2026, under advisory GHSL-2026-140. Cybersecurity news outlets including cybersecuritynews.com reported on it May 26, 2026. Tracked as CVE-2026-48095, the flaw resides in the NTFS archive handler and affects every version of 7-Zip up to and including 26.00.
The vulnerability carries a CVSS 3.1 score of 8.8 (High) with vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, reflecting its potential for full system compromise requiring only that a user open a maliciously crafted file. A proof-of-concept exploit has already been published publicly.
Technical Root Cause
The vulnerability originates in the CInStream::GetCuSize() function inside NtfsHandler.cpp. This function calculates the NTFS compressed unit buffer size using a 32-bit shift expression:
(UInt32)1 << (BlockSizeLog + CompressionUnit)
When a crafted NTFS image sets ClusterSizeLog to a value of 28 or greater — a value the parser explicitly accepts — and a compressed data attribute sets CompressionUnit to 4, the shift exponent reaches 32. In C++, shifting a 32-bit integer by 32 positions is undefined behavior.
On x86 hardware, the hardware masking of shift counts causes this undefined behavior to manifest as a shift by zero, resulting in _inBuf being allocated as just 1 byte instead of the intended large buffer.
Exploitation Chain: From Overflow to Code Execution
With only a 1-byte buffer allocated, the program immediately invokes a ReadStream_FALSE call that writes up to 256 MB of attacker-controlled data into that single byte — a severe heap overflow.
Because the CInStream object resides only 304 bytes away from _inBuf on the heap, the first 64 KB read iteration is sufficient to overwrite the object’s virtual function table (vtable) pointer. In the second iteration, the program dispatches through the corrupted vtable, completing a classic vtable hijacking attack. By carefully crafting the NTFS cluster content, an attacker controls which function pointer is called, escalating the exploit from memory corruption to arbitrary code execution.
Memory Availability and Impact
Both 32-bit and 64-bit builds of 7-Zip are affected. The severity of impact depends on available system memory:
On 64-bit systems with 16 GB or more RAM, the _outBuf.Alloc(8 GB) call succeeds and execution proceeds directly to the overflow, making full arbitrary code execution achievable. On low-memory devices, the large allocation is likely to fail, limiting the impact to a denial-of-service (application crash) condition — still a disruptive outcome.
A Dangerously Wide Attack Surface
What makes CVE-2026-48095 particularly alarming is its extension-agnostic attack surface. The 7-Zip NTFS handler uses signature-based fallback detection, matching on the "NTFS " byte signature at a fixed file offset rather than relying on the file’s extension.
This means a malicious NTFS image can be renamed with any extension — .zip, .7z, .rar, .pdf, or no extension at all — and 7-Zip will still route the file to the vulnerable NTFS handler after the extension-matched handler rejects it. No user interaction beyond opening the file is required. A phishing email attachment disguised as an invoice PDF or a downloaded “ZIP” file could silently trigger the exploit.
Discovery and Responsible Disclosure
The vulnerability was discovered and responsibly reported by Jaroslav Lobačevski (@JarLob) of the GitHub Security Lab. Root-cause confirmation was achieved using UBSan (UndefinedBehaviorSanitizer) under Clang on Linux x64, which flagged the undefined behavior shift at NtfsHandler.cpp:687 followed by a cascading invalid vtable dereference leading to a SIGSEGV.
Recommended Actions
Update immediately. The fix is available in 7-Zip 26.01, released April 27, 2026. The patched release can be downloaded from the official 7-Zip website. Given the public availability of proof-of-concept exploit code, unpatched systems are at elevated and immediate risk.
In the interim, exercise extreme caution with any archive files received from external sources — email attachments, downloaded files, shared drives, or messaging apps — regardless of their apparent file extension. An unexpected file, even one labeled as a PDF or spreadsheet, could trigger the vulnerable code path when processed by 7-Zip.
Organizations should audit endpoints for instances of 7-Zip 26.00 and prior, and prioritize updates on systems where users routinely handle externally sourced files.
Download 7-Zip 26.01 from the official source. Always verify downloads from the official site only.
Draft
