CVE-2026-48111
Out-of-Bounds Read in 7-Zip UEFI Parser
Publication date: 2026-06-05
Last updated on: 2026-06-05
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| 7-zip | 7-zip | From 9.21 (inc) to 26.00 (inc) |
| 7-zip | 7-zip | 26.01 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in 7-Zip allows for a minor information disclosure of an adjacent .rdata string literal into archive metadata, but it does not disclose heap data, secrets, or ASLR base addresses. It may also cause a denial of service. There is no indication that this vulnerability leads to the exposure of personal data or sensitive information protected under regulations like GDPR or HIPAA.
Therefore, while the vulnerability could potentially impact system availability due to denial of service, it does not appear to directly affect compliance with data protection standards such as GDPR or HIPAA, which primarily focus on the confidentiality and integrity of personal and sensitive data.
Can you explain this vulnerability to me?
This vulnerability exists in 7-Zip versions 9.21 through 26.00 in the UEFI firmware image parser, specifically in the ParseDepedencyExpression function. The function incorrectly validates an opcode byte using a greater-than (>) check instead of greater-than-or-equal-to (>=) against the size of a static array. This allows an opcode value of 10 to read one pointer slot beyond the end of the array, causing an out-of-bounds read.
The out-of-bounds read leads to dereferencing invalid memory as a string pointer, which is then passed to string functions like strlen and memcpy. This can cause either a denial of service due to an access violation or a minor information disclosure of adjacent string literals into archive metadata.
The vulnerability is triggered automatically when processing certain UEFI firmware sections with specific byte values, and it is enabled by default in the 7z.dll handler. The issue was fixed in version 26.01.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) if the program crashes due to an access violation when processing a crafted archive. Alternatively, it may cause a minor information disclosure where adjacent string literals from the program's read-only data section are leaked into archive metadata.
However, the vulnerability does not allow writing to memory, disclosure of heap data, secrets, or address space layout randomization (ASLR) base addresses, limiting the severity of the impact.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability occurs in 7-Zip versions 9.21 through 26.00 when processing UEFI firmware images containing specific DEPEX sections. Detection involves identifying if these vulnerable versions of 7-Zip are present and if they process SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) sections with a first body byte of 0x0A.
Since the vulnerability is triggered automatically during archive opening via IInArchive::Open(), one way to detect it is to monitor 7-Zip usage and crashes related to UEFI firmware image parsing.
No specific commands or network detection signatures are provided in the available information.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade 7-Zip to version 26.01 or later, where this off-by-one out-of-bounds read vulnerability in the UEFI firmware image parser has been fixed.
Until the upgrade is applied, avoid opening or processing UEFI firmware images containing SECTION_DXE_DEPEX or SECTION_PEI_DEPEX sections with 7-Zip versions 9.21 through 26.00.