CVE-2026-48103
Heap Out-of-Bounds Read in 7-Zip WIM Handler
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 7-zip | 7-zip | From 9.18 (inc) to 26.00 (inc) |
| 7-zip | 7-zip | From 9.21 (inc) to 26.00 (inc) |
| 7-zip | 7-zip | 26.00 |
| 7-zip | 7-zip | 26.01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler of 7-Zip versions 9.34 through 26.00. Specifically, in the function CHandler::GetSecurity, the code reads one UInt32 past the end of a heap-allocated vector due to an incorrect boundary check. The securityId value, which controls this read, is attacker-controlled within WIM metadata directory entries. This flaw can be triggered without user interaction (zero-click) when listing files in the 7-Zip GUI or via the command line.
The out-of-bounds read does not allow writing or direct data exposure but can cause a denial of service or minor information disclosure through arithmetic use of the out-of-bounds value. The vulnerability affects the handling of .wim, .swm, .esd, and .ppkg archive formats.
How can this vulnerability impact me? :
The primary impact of this vulnerability is denial of service, as the out-of-bounds read can cause crashes or instability in 7-Zip when processing certain WIM archives. Additionally, there is a minor risk of information disclosure because the out-of-bounds value is used arithmetically, potentially leaking small amounts of memory data, although no direct data exposure or write access is possible.
Exploitation requires an attacker to craft malicious WIM metadata, and the vulnerability can be triggered automatically when listing archive contents in the GUI or via command line, making it a zero-click attack vector.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability in 7-Zip affects the WIM archive handler and can be triggered when listing certain archive files (.wim, .swm, .esd, .ppkg) using the 7-Zip GUI or CLI.
To detect the vulnerability on your system, you can check the version of 7-Zip installed and attempt to list the contents of a WIM archive using the command line.
- Run the command: 7zz l -slt <archive.wim> to list the archive contents with detailed information.
- Observe if the listing triggers any crashes or abnormal behavior, which may indicate the presence of the vulnerability.
Since the vulnerability is triggered by the securityId field in WIM metadata, monitoring for crashes or abnormal memory access during archive listing can help detect exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to update 7-Zip to a fixed version that addresses this vulnerability.
- Upgrade 7-Zip to version 26.01 or later, where this and other memory access vulnerabilities have been fixed.
Until the update is applied, avoid opening or listing untrusted WIM, SWM, ESD, or PPKG archive files using 7-Zip to prevent triggering the vulnerability.
Consider using hardened memory allocators or sandboxing 7-Zip processes to limit the impact of potential denial-of-service or information disclosure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in 7-Zip involves an off-by-one heap out-of-bounds read that can lead to denial of service and minor information disclosure. However, the disclosed information is limited and not directly surfaced to the attacker, and there is no write primitive involved.
Given the limited impactβprimarily denial of service and minor information disclosure without direct exposure of sensitive dataβthe vulnerability's effect on compliance with common standards and regulations such as GDPR or HIPAA is likely minimal. There is no indication that personal or protected health information could be exposed or manipulated through this vulnerability.
Nevertheless, any information disclosure vulnerability could potentially raise concerns under regulations that require protection of sensitive data, so organizations using affected versions of 7-Zip should consider applying the fixed version to maintain compliance and reduce risk.