PT-2026-43182 · 7 Zip+1 · 7-Zip
Published
2026-04-24
·
Updated
2026-06-30
·
CVE-2026-48095
CVSS v2.0
10
High
| Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions
7-Zip versions prior to 26.01
Description
A heap buffer overflow exists in the NTFS archive handler due to an under-allocation in the compressed stream buffer. The issue occurs in the
CInStream::GetCuSize() function, which calculates the compression-unit buffer size using a bitwise shift operation. When processing a crafted image with a ClusterSizeLog of 28 or greater and a CompressionUnit of 4, the exponent reaches 32, resulting in undefined behavior on x86/x64 architectures. This causes the inBuf variable to be allocated as only 1 byte. Subsequently, the ReadStream FALSE() function writes up to 256 MB of attacker-controlled data into this 1-byte buffer. Because the CInStream object is located 304 bytes after inBuf, its vtable pointer can be overwritten, enabling a vtable hijack to achieve arbitrary code execution or cause application crashes. On 32-bit builds, the overflow is reached unconditionally, while on 64-bit builds, it requires a successful parallel 8 GB outBuf allocation. The NTFS handler is enabled by default in 7z.dll and uses signature-based detection, meaning a crafted image can trigger the issue regardless of the file extension during extraction or testing.Recommendations
Update to version 26.01.
Exploit
Fix
RCE
DoS
Memory Corruption
Integer Overflow
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
7-Zip