CVE-2026-48092
Modified Modified - Updated After Analysis
Heap Memory Disclosure in 7-Zip via SquashFS Integer Overflow

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2Β³Β². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-48092
EUVD
EUVD-2026-34837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
7-zip 7-zip From 9.34 (inc) to 26.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap memory disclosure issue in 7-Zip versions 9.34 through 26.00 affecting 32-bit builds. It arises from a 32-bit integer overflow in the SquashFS ReadBlock function, where an attacker-controlled offset value bypasses fragment bounds checks. This causes the memcpy function to read heap memory located before the cache buffer and include it in the extracted file. The problem occurs because the addition of offsetInBlock and blockSize wraps around modulo 2Β³Β² on 32-bit systems, allowing the overflow. 64-bit builds are not affected because they use 64-bit arithmetic that prevents this overflow. The vulnerability was fixed in version 26.01.

Impact Analysis

This vulnerability can lead to the unintended disclosure of heap memory contents when extracting files using vulnerable 32-bit versions of 7-Zip. An attacker can craft malicious archive files that exploit the integer overflow to cause the program to read and include sensitive heap memory data in extracted files. This could expose sensitive information stored in memory, potentially compromising system integrity or leaking confidential data.

Detection Guidance

This vulnerability affects 32-bit builds of 7-Zip versions from 9.34 through 26.00. Detection involves identifying if your system is running a vulnerable 32-bit version of 7-Zip.

You can check the installed 7-Zip version and architecture by running commands such as:

  • On Windows, open Command Prompt and run: "7z.exe" or "7z.exe -version" to check the version.
  • Check if the 7-Zip executable is 32-bit by inspecting the file properties or using tools like "sigcheck" from Sysinternals.
  • On Linux, if 7-Zip is installed, run: "7z --help" or "7z --version" and check the package architecture with "dpkg -l | grep p7zip" or "rpm -qi p7zip".

Additionally, monitoring for suspicious extracted files that may contain unexpected heap memory data could indicate exploitation attempts, but no specific detection commands for the vulnerability itself are provided.

Mitigation Strategies

The primary mitigation step is to upgrade 7-Zip to version 26.01 or later, where this vulnerability has been patched.

If upgrading immediately is not possible, avoid using 32-bit builds of 7-Zip for extracting SquashFS archives, especially from untrusted sources.

Consider using 64-bit builds of 7-Zip, as they are not affected by this vulnerability due to proper bounds checking.

Limit user interaction with untrusted archive files and monitor for unusual application behavior or crashes related to 7-Zip.

Compliance Impact

The vulnerability in 7-Zip versions 9.34 through 26.00 on 32-bit builds allows heap memory disclosure through an integer overflow in the SquashFS handler. This can lead to exposure of sensitive data such as passwords or file paths, especially due to uninitialized heap memory disclosure in the UEFI capsule parser and other memory access violations.

Exposure of sensitive data could potentially impact compliance with data protection regulations like GDPR or HIPAA, which require safeguarding personal and sensitive information from unauthorized access or disclosure.

However, the CVE description and resources do not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48092. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart