PT-2026-43182 · 7 Zip+1 · 7-Zip

Published

2026-04-24

·

Updated

2026-06-30

·

CVE-2026-48095

CVSS v2.0

10

High

VectorAV:N/AC:L/Au:N/C:C/I:C/A:C
Name of the Vulnerable Software and Affected Versions 7-Zip versions prior to 26.01
Description A heap buffer overflow exists in the NTFS archive handler due to an under-allocation in the compressed stream buffer. The issue occurs in the CInStream::GetCuSize() function, which calculates the compression-unit buffer size using a bitwise shift operation. When processing a crafted image with a ClusterSizeLog of 28 or greater and a CompressionUnit of 4, the exponent reaches 32, resulting in undefined behavior on x86/x64 architectures. This causes the inBuf variable to be allocated as only 1 byte. Subsequently, the ReadStream FALSE() function writes up to 256 MB of attacker-controlled data into this 1-byte buffer. Because the CInStream object is located 304 bytes after inBuf, its vtable pointer can be overwritten, enabling a vtable hijack to achieve arbitrary code execution or cause application crashes. On 32-bit builds, the overflow is reached unconditionally, while on 64-bit builds, it requires a successful parallel 8 GB outBuf allocation. The NTFS handler is enabled by default in 7z.dll and uses signature-based detection, meaning a crafted image can trigger the issue regardless of the file extension during extraction or testing.
Recommendations Update to version 26.01.

Exploit

Fix

RCE

DoS

Memory Corruption

Integer Overflow

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07292
CVE-2026-48095
OPENSUSE-SU-2026:10942-1
OPENSUSE-SU-2026:21038-1
SUSE-SU-2026:22347-1
SUSE-SU-2026:2696-1

Affected Products

7-Zip