How is CVE-2026-48095 exploited?

Network reachability (required): The attacker must deliver a crafted archive to the victim over the network, since the vulnerable NTFS handler is triggered during extraction or testing of a remotely sourced file. Authentication (not-required): No authentication or account credentials are needed; any unauthenticated party who can supply a file to the target user can trigger the vulnerability. Victim interaction (required): The victim must open, extract, or test the crafted archive in 7-Zip, making this a social-engineering vector where the attacker persuades the user to interact with a malicious file. Attack complexity (info): Exploit reliability is high on 32-bit builds where the overflow is unconditionally reached; on 64-bit builds it requires a successful 8 GB secondary allocation, but failure there degrades to denial of service rather than blocking exploitation entirely.

What is the impact of CVE-2026-48095?

On successful vtable hijack, the attacker executes arbitrary code in the context of the user running 7-Zip, gaining full access to that process's memory and permissions. The attacker can read files, environment variables, and secrets accessible to the current user account on the host. The attacker can write or modify files on disk, install persistent malware, or tamper with other application data. If the vtable hijack conditions are not met (64-bit builds with insufficient memory), the application crashes, disrupting any automated pipeline or user workflow that depends on archive processing.

Back to search

HIGHCVE-2026-48095Published 2026-06-05Modified 2026-06-05CNA GitHub_M

CVE-2026-48095: GHSL-2026-140_7-Zip: 7-Zip has a heap buffer overflow via NTFS compressed stream buffer under-allocation

7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.

CVSS v3.1: 8.8
Severity: HIGH
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Heap buffer overflow in 7-Zip versions 26.00 and prior, reachable over the network when a user opens or tests a crafted archive file. The NTFS compressed stream handler under-allocates a 1-byte buffer due to undefined behavior in a bit-shift operation, then writes up to 256 MB of attacker-controlled data into it, overwriting a vtable pointer. Successful exploitation achieves arbitrary code execution; on 64-bit systems where the secondary allocation fails, the result is an application crash. No fix version has been published upstream yet; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-48095 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle 7-Zip or the 7z.dll shared library. Any image containing an affected version of the mcmilk/7-Zip package (26.00 or earlier) is flagged in the pipeline scan results automatically.

Available

Triage

HarborGuard scores this CVE at CVSS 8.8 HIGH and surfaces it accordingly in each customer environment, weighted against that environment's active compliance policy to determine escalation priority. Triage findings are routed to the team or inbox configured for HIGH-severity issues within each customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 26.01 or a later fix is released upstream. In the meantime, customers with auto-remediation enabled will receive a rebuild and a PR against affected workloads as soon as a fix version becomes available; where compliance policy permits, the PR includes a regression-test run against the rebuilt image.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must deliver a crafted archive to the victim over the network, since the vulnerable NTFS handler is triggered during extraction or testing of a remotely sourced file.
AuthenticationNot required
No authentication or account credentials are needed; any unauthenticated party who can supply a file to the target user can trigger the vulnerability.
Victim interactionRequired
The victim must open, extract, or test the crafted archive in 7-Zip, making this a social-engineering vector where the attacker persuades the user to interact with a malicious file.
Attack complexityDetail
Exploit reliability is high on 32-bit builds where the overflow is unconditionally reached; on 64-bit builds it requires a successful 8 GB secondary allocation, but failure there degrades to denial of service rather than blocking exploitation entirely.

Blast Radius

On successful vtable hijack, the attacker executes arbitrary code in the context of the user running 7-Zip, gaining full access to that process's memory and permissions.
The attacker can read files, environment variables, and secrets accessible to the current user account on the host.
The attacker can write or modify files on disk, install persistent malware, or tamper with other application data.
If the vtable hijack conditions are not met (64-bit builds with insufficient memory), the application crashes, disrupting any automated pipeline or user workflow that depends on archive processing.

How HarborGuard Handles This

Available on HarborGuard: this CVE is tracked continuously against all customer images that include the mcmilk/7-Zip package at version 26.00 or earlier. Because no upstream fix has been published, HarborGuard re-evaluates the advisory on every ingest cycle. The moment an upstream fix (expected as version 26.01 per the advisory) is confirmed, a patched-image rebuild becomes available automatically; for customers who have opted into auto-remediation, this triggers a rebuild, regression-test run, and a PR opened against affected workloads, gated on each environment's compliance policy. While no patch is available, compensating controls worth considering include network-policy isolation of any service that processes untrusted archives with 7-Zip, strict input validation or allowlisting of archive sources before they reach extraction workflows, and disabling or sandboxing the 7-Zip extraction step in CI/CD pipelines that handle externally supplied files.

See how HarborGuard automates this

Affected packages

mcmilk / 7-Zip
<= 26.00

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

Metrics

Get notified