CVE-2026-48104
Analyzed Analyzed - Analysis Complete
Heap OOB Read in 7-Zip SquashFS Handler

Publication date: 2026-06-05

Last updated on: 2026-06-08

Assigner: GitHub, Inc.

Description
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-08
Generated
2026-06-27
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-25
NVD
CVE-2026-48104
EUVD
EUVD-2026-34853
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
7-zip 7-zip From 9.18 (inc) to 26.01 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-908 The product uses or accesses a resource that has not been initialized.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in 7-Zip versions 9.18 through 26.00 can lead to denial of service and potential heap information disclosure due to uninitialized heap reads and out-of-bounds memory access. This information disclosure could expose sensitive data such as passwords or file paths, especially in long-running GUI instances.

Exposure of sensitive data through these vulnerabilities may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding personal and sensitive information against unauthorized access or leaks.

Therefore, organizations using affected versions of 7-Zip might face increased risk of non-compliance if sensitive data is exposed due to exploitation of these vulnerabilities.

Executive Summary

This vulnerability exists in 7-Zip versions 9.18 through 26.00 within the SquashFS archive handler. It is caused by an uninitialized heap read due to a sparsely populated index array. Specifically, the _blockToNode array is allocated with capacity for every metadata block but only partially populated, leaving many slots containing raw heap data that is not zero-initialized.

When the OpenDir function looks up a blockIndex influenced by an attacker, it reads two uninitialized slots and uses them as bounds for a binary search. This search can dereference out-of-bounds memory without proper checks, potentially returning an index that leads to reading a full node structure from memory. This creates a chained out-of-bounds read primitive that depends on heap layout and is not reliably triggerable.

The vulnerability triggers simply by opening a crafted file, requires no further interaction, and can lead to denial of service or information disclosure. There is no ability to write or modify memory through this flaw. The issue was fixed in version 26.01.

Impact Analysis

This vulnerability can impact users by causing a denial of service (DoS) when opening specially crafted SquashFS archive files, due to wild-pointer dereference resulting from out-of-bounds reads.

Additionally, it may lead to potential heap information disclosure, allowing an attacker to read sensitive memory contents. However, it does not allow an attacker to write or modify data.

Mitigation Strategies

The vulnerability in 7-Zip versions 9.18 through 26.00 is fixed in version 26.01.

To mitigate this vulnerability, you should update 7-Zip to version 26.01 or later.

Detection Guidance

This vulnerability occurs when opening specially crafted SquashFS archive files with vulnerable versions of 7-Zip (versions 9.18 through 26.00). Detection involves identifying the presence of these vulnerable 7-Zip versions on your system and monitoring for attempts to open suspicious or malformed SquashFS archives.

To detect vulnerable versions of 7-Zip installed on your system, you can run commands to check the version of the 7z executable or DLL.

  • On Windows, open Command Prompt and run: 7z.exe --help or 7z.exe
  • On Linux or Unix-like systems, run: 7z --help or 7z

If the version reported is between 9.18 and 26.00 inclusive, the system is vulnerable.

To detect exploitation attempts or suspicious activity, monitor logs or network traffic for files with SquashFS archives being opened or transferred. Since the vulnerability triggers during the Open() operation of the archive, any automated or manual opening of suspicious SquashFS files could be a sign.

No specific detection commands or signatures are provided in the available resources, so detection relies on version checking and monitoring file operations involving SquashFS archives.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48104. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart