CVE-2026-48103
Analyzed Analyzed - Analysis Complete
Heap Out-of-Bounds Read in 7-Zip WIM Handler

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-48103
EUVD
EUVD-2026-34852
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
7-zip 7-zip From 9.34 (inc) to 26.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler of 7-Zip versions 9.34 through 26.00. Specifically, in the function CHandler::GetSecurity, the code reads one UInt32 past the end of a heap-allocated vector due to an incorrect boundary check. The securityId value, which controls this read, is attacker-controlled within WIM metadata directory entries. This flaw can be triggered without user interaction (zero-click) when listing files in the 7-Zip GUI or via the command line.

The out-of-bounds read does not allow writing or direct data exposure but can cause a denial of service or minor information disclosure through arithmetic use of the out-of-bounds value. The vulnerability affects the handling of .wim, .swm, .esd, and .ppkg archive formats.

Impact Analysis

The primary impact of this vulnerability is denial of service, as the out-of-bounds read can cause crashes or instability in 7-Zip when processing certain WIM archives. Additionally, there is a minor risk of information disclosure because the out-of-bounds value is used arithmetically, potentially leaking small amounts of memory data, although no direct data exposure or write access is possible.

Exploitation requires an attacker to craft malicious WIM metadata, and the vulnerability can be triggered automatically when listing archive contents in the GUI or via command line, making it a zero-click attack vector.

Detection Guidance

This vulnerability in 7-Zip affects the WIM archive handler and can be triggered when listing certain archive files (.wim, .swm, .esd, .ppkg) using the 7-Zip GUI or CLI.

To detect the vulnerability on your system, you can check the version of 7-Zip installed and attempt to list the contents of a WIM archive using the command line.

  • Run the command: 7zz l -slt <archive.wim> to list the archive contents with detailed information.
  • Observe if the listing triggers any crashes or abnormal behavior, which may indicate the presence of the vulnerability.

Since the vulnerability is triggered by the securityId field in WIM metadata, monitoring for crashes or abnormal memory access during archive listing can help detect exploitation attempts.

Mitigation Strategies

The primary mitigation step is to update 7-Zip to a fixed version that addresses this vulnerability.

  • Upgrade 7-Zip to version 26.01 or later, where this and other memory access vulnerabilities have been fixed.

Until the update is applied, avoid opening or listing untrusted WIM, SWM, ESD, or PPKG archive files using 7-Zip to prevent triggering the vulnerability.

Consider using hardened memory allocators or sandboxing 7-Zip processes to limit the impact of potential denial-of-service or information disclosure.

Compliance Impact

The vulnerability in 7-Zip involves an off-by-one heap out-of-bounds read that can lead to denial of service and minor information disclosure. However, the disclosed information is limited and not directly surfaced to the attacker, and there is no write primitive involved.

Given the limited impactβ€”primarily denial of service and minor information disclosure without direct exposure of sensitive dataβ€”the vulnerability's effect on compliance with common standards and regulations such as GDPR or HIPAA is likely minimal. There is no indication that personal or protected health information could be exposed or manipulated through this vulnerability.

Nevertheless, any information disclosure vulnerability could potentially raise concerns under regulations that require protection of sensitive data, so organizations using affected versions of 7-Zip should consider applying the fixed version to maintain compliance and reduce risk.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48103. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart