CVE-2026-48095
Modified Modified - Updated After Analysis
Heap Buffer Overflow in 7-Zip

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-48095
EUVD
EUVD-2026-34838
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
7-zip 7-zip to 26.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a heap buffer overflow in 7-Zip version 26.00 caused by an under-allocation in the NTFS compressed stream buffer. It occurs due to undefined behavior in the GetCuSize() function, which calculates the buffer size using a 32-bit shift operation. When an attacker crafts an NTFS image with specific parameters (ClusterSizeLog >= 28 and CompressionUnit == 4), the shift operation results in the buffer being allocated as only 1 byte instead of the correct size.

During decompression, up to 256 MB of attacker-controlled data is written into this undersized buffer, causing a heap overflow. This overflow overwrites adjacent heap objects, including the vtable pointer of a stream object, enabling an attacker to hijack the vtable and potentially execute arbitrary code.

Both 32-bit and 64-bit builds of 7-Zip are affected, and the NTFS handler can be triggered by any file with a crafted NTFS signature, regardless of file extension. The issue was fixed in version 26.01.

Impact Analysis

This vulnerability can have severe impacts including arbitrary code execution and application crashes. An attacker can exploit the heap overflow to overwrite critical memory structures, such as the vtable pointer, allowing them to execute malicious code within the context of the 7-Zip application.

This could lead to full compromise of the system running the vulnerable 7-Zip version, unauthorized access to data, or denial of service through application crashes. The broad attack surface means that simply opening or testing a crafted file with a malicious NTFS signature can trigger the vulnerability.

Detection Guidance

This vulnerability can be detected by identifying the presence of 7-Zip version 26.00 or earlier on your system, as these versions contain the heap buffer overflow in the NTFS compressed stream buffer.

Detection can also involve scanning for files with crafted NTFS signatures that trigger the vulnerable NTFS handler in 7-Zip, regardless of file extension.

A proof-of-concept (PoC) generator exists to create malicious NTFS images exploiting this vulnerability, which can be used in controlled environments to test detection capabilities.

Suggested commands include checking the installed 7-Zip version via command line, for example:

  • On Windows, run: 7z.exe --help or 7z.exe
  • On Linux, run: 7z --help or 7z

Additionally, monitoring for suspicious NTFS image files or unusual extraction activity involving NTFS streams may help detect exploitation attempts.

Mitigation Strategies

The immediate mitigation step is to upgrade 7-Zip to version 26.01 or later, where this vulnerability has been fixed.

Until the upgrade can be applied, avoid extracting or testing files with NTFS signatures, especially those from untrusted sources, as the NTFS handler is enabled by default and can be triggered regardless of file extension.

Implement network and endpoint monitoring to detect and block malicious NTFS images that could exploit this vulnerability.

Compliance Impact

The vulnerability in 7-Zip allows for arbitrary code execution and application crashes due to a heap buffer overflow. This can lead to unauthorized access or manipulation of data during file extraction or testing, potentially compromising the confidentiality, integrity, and availability of sensitive information.

Such security risks can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and breaches. Exploitation of this vulnerability could result in data breaches or system compromises that violate these regulatory requirements.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48095. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart