A high-severity 7-Zip vulnerability has been disclosed that allows threat actors to achieve arbitrary remote code execution (RCE) on targeted systems. The flaw stems from a critical memory validation defect within the utility’s internal New Technology File System (NTFS) archive-parsing framework.
Tracked as CVE-2026-48095, the vulnerability allows an attacker to compromise an entire system simply by convincing a user to open a specially crafted archive or disk image. Because the vulnerability triggers automatically during the initial processing phase, it represents a potent attack surface for initial access campaigns.
Key Details
The security flaw, which carries a CVSS 3.1 score of 8.8, affects all versions of 7-Zip up to and including version 26.00. Discovered by security researcher Jaroslav Lobačevski (@JarLob) of the GitHub Security Lab, the issue was assigned the tracker GHSL-2026-140.
The vulnerability is categorized under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). According to the disclosure timeline, the flaw was privately reported to the developer on April 24, 2026, and a patched version (v26.01) was quietly made available a few days later on April 27, 2026.
One of the most alarming aspects of this flaw is its extension-agnostic nature. The NTFS parsing component within 7-Zip relies on signature-based fallback detection. This means an attacker can disguise a malicious NTFS image using standard extensions like .7z, .zip, .rar, or even strip the extension completely. If the primary extension handler fails to parse the file, 7-Zip falls back to checking internal file signatures. Once it detects the "NTFS " magic byte string at offset 3, it routes the payload directly into the vulnerable function.
Technical Analysis
The root cause of CVE-2026-48095 resides within the CInStream::GetCuSize() function inside the NtfsHandler.cpp source file. The application relies on this function to compute the required buffer size for processing compressed NTFS units using a 32-bit left-shift operation:
$$(UInt32)1 \ll (BlockSizeLog + CompressionUnit)$$
When 7-Zip parses a maliciously structured NTFS image where ClusterSizeLog is set to a value greater than or equal to 28, and a non-resident compressed data attribute defines a CompressionUnit value of 4, the shift exponent reaches or exceeds 32. In C++, this triggers undefined behavior (UB).
On standard x86 and x64 hardware architecture, hardware masking of shift counts wraps the operation, causing the engine to calculate an allocation size of zero or one. Consequently, 7-Zip allocates an input buffer (_inBuf) of just a single byte.
Malicious NTFS Image (ClusterSizeLog >= 28)
│
▼
GetCuSize() Integer Shift Overflow (Undefined Behavior)
│
▼
Allocates 1-Byte Buffer (_inBuf)
│
▼
ReadStream_FALSE writes up to 256 MB of data
│
▼
Heap Memory Overwritten (CInStream vtable pointer hijacked)
Directly after allocation, the code invokes a ReadStream_FALSE call to fill the buffer, attempting to stream up to 256 MB of attacker-controlled data into that single-byte space. Because the primary stream object, CInStream, is situated precisely 304 bytes after _inBuf on the heap, the sequential data overwrite yields immediate exploitation:
- Iteration 1: The first 64 KB block read iteration completely overwhelms the boundaries of
_inBuf, wiping out adjacent metadata and overwriting theCInStreamobject’s virtual method table (vtable) pointer. - Iteration 2: The subsequent streaming loop iteration attempts to dispatch a function call through the now-corrupted vtable, executing a classic vtable hijack that passes execution flow directly to code controlled by the attacker.
On 64-bit platforms hosting 16 GB or more of physical memory, the companion buffer allocation (_outBuf.Alloc(8 GB)) succeeds, allowing execution to slide directly into the code execution phase. On low-resource environments, the allocation fails with a memory exception, reducing the payload impact to a local Denial of Service (DoS) crash.
Impact and Risks
Given 7-Zip’s ubiquity across enterprise infrastructure, dev boxes, and consumer systems, the practical implications of CVE-2026-48095 are profound. File archivers are trusted tools commonly integrated into automated backend processing, mail gateways, and developer toolchains.
Because the exploit does not depend on a specific extension, standard security controls that flag dangerous file extensions (like .exe or .bat) will fail to stop it. An attacker could embed a malicious NTFS payload inside an apparently benign .zip attachment sent via phishing.
If a user clicks “Test” or attempts to extract the archive using an unpatched 7-Zip GUI session, the underlying 7z.dll engine triggers the overflow, achieving code execution under the privileges of the active user account.
Expert Recommendations
Organisations and individual developers must move quickly to secure their systems against this vector.
- Apply Patches Immediately: Administrators should inventory all corporate endpoints and servers utilizing 7-Zip or software packages that bundle
7z.dll. Update installations to 7-Zip version 26.01 or later immediately. - Review Automated Extraction Pipelines: Organizations running server-side ingestion scripts, security orchestration automation (SOAR) workflows, or email security gateways that parse incoming archives using command-line 7-Zip utilities must verify that their backend infrastructure is updated.
- Restrict Archive Access: Implement attachment filtering policies at the gateway level to quarantine unverified or structural multi-layer archive objects originating from untrusted external sources.
Industry Context
This development underscores an ongoing industry trend: utility software and foundational file-parsing libraries remain a prime target for discovery and exploitation. Because utilities like 7-Zip operate with direct file access and must decipher legacy, highly complex file structures, minor computation errors can yield severe binary exploits.
The discovery mirrors historical vulnerabilities in winrar and other file handling utilities that threat groups actively leverage for initial access. Software supply chain risk continues to climb as open-source utilities are embedded into commercial application dependencies, often leaving them unpatched for years.
Conclusion
The disclosure of CVE-2026-48095 serves as a stark reminder that even the most trusted, long-standing utilities can host critical memory corruption flaws. Because the vulnerability relies on subtle undefined behavior in native C++ math handlers, automated binary analysis tools often miss the threat until active proof-of-concepts emerge. Securing environments requires continuous asset monitoring and immediate path deployments to eliminate these latent architectural blind spots.
FAQ SECTION
What is the primary cause of the 7-Zip vulnerability (CVE-2026-48095)?
The vulnerability is caused by an integer overflow and undefined behavior during a 32-bit left-shift calculation inside the NTFS archive-handling module (NtfsHandler.cpp). This results in a severe memory under-allocation, creating a 1-byte heap buffer that is subsequently flooded with up to 256 MB of data.
Does an attacker need a specific file extension to exploit this bug?
No. The flaw is completely extension-agnostic. 7-Zip uses signature-based fallback detection, meaning that even if a file is named with a .zip, .rar, or .7z extension, the utility will automatically pass the file to the vulnerable NTFS parsing engine if the internal file headers match an NTFS format signature.
What versions of 7-Zip are vulnerable?
All versions of 7-Zip up to and including version 26.00 are vulnerable to this exploit. The flawed calculation logic has existed within the tool’s codebase since NTFS compressed stream support was initially introduced.
How can I protect my organization from this exploit?
You must update all instances of 7-Zip to version 26.01 or higher. Administrators should pay special attention to third-party applications, automated data processing pipelines, and security tools that rely on the 7z.dll library to unpack files.
Can this vulnerability be triggered without user interaction?
Exploitation requires the user to open, test, or attempt to extract a maliciously crafted archive file using a vulnerable version of the 7-Zip application. However, no further interaction inside the archive is required once it is opened by the utility.
