CVE-2026-48092 Overview
CVE-2026-48092 is a heap memory disclosure vulnerability in 7-Zip, a widely used file archiver. The flaw resides in the SquashFS ReadBlock function and stems from a 32-bit integer overflow when handling fragment offsets. An attacker-controlled node.Offset value can bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The issue affects versions 9.34 through 26.00 on 32-bit builds, where size_t is 32 bits and the addition offsetInBlock + blockSize wraps modulo 2³². 64-bit builds promote the addition to 64 bits and correctly reject malformed input. Version 26.01 patches the vulnerability.
Critical Impact
A crafted SquashFS archive can leak adjacent heap memory contents into extracted files, exposing sensitive process data to the attacker.
Affected Products
- 7-Zip versions 9.34 through 26.00 (32-bit builds)
- 7-Zip CLI and GUI components that parse SquashFS archives
- Third-party tools and integrations that bundle vulnerable 7-Zip libraries
Discovery Timeline
- 2026-06-05 - CVE-2026-48092 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-48092
Vulnerability Analysis
The vulnerability is classified as an out-of-bounds read [CWE-125] triggered by an integer overflow. 7-Zip's SquashFS handler validates a fragment offset before copying data from a decompressed block cache. On 32-bit builds, the validation computes offsetInBlock + blockSize using size_t arithmetic. When the attacker supplies a large node.Offset, the sum wraps around the 32-bit boundary and the bounds check passes incorrectly.
After the flawed check, memcpy proceeds with the original unwrapped offset. The destination buffer receives bytes from memory preceding the cache buffer rather than valid fragment data. The disclosed heap region can contain decompressed contents of other archive entries, allocator metadata, or any residual data left by recently freed allocations.
Root Cause
The root cause is missing overflow-safe arithmetic in the fragment bounds check inside ReadBlock. The code assumes offsetInBlock + blockSize cannot exceed the cache size, but does not detect wraparound. On 64-bit builds the operands are promoted to 64 bits, so the sum cannot wrap and the check behaves correctly. The defect is therefore specific to platforms and binaries where size_t is 32 bits.
Attack Vector
Exploitation requires the victim to open or extract a malicious SquashFS archive using a 32-bit build of 7-Zip. The attack vector is network-delivered content with user interaction, such as a downloaded archive, an email attachment, or a file fetched through a chat or collaboration platform. The attacker controls the extracted output, which contains leaked heap bytes that can be exfiltrated when the file is uploaded, shared, or rendered. Successful exploitation breaks confidentiality of process memory and can also corrupt or destabilize the extraction workflow.
No verified public proof-of-concept code is currently available. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-48092
Indicators of Compromise
- SquashFS archives (.sfs, .squashfs) with abnormally large fragment offset fields in the inode table
- Extracted files containing non-archive byte patterns such as heap allocator metadata or unrelated string fragments
- 7-Zip processes loading 32-bit binaries (7z.exe, 7zFM.exe) on systems that also have 64-bit builds available
Detection Strategies
- Inspect SquashFS archive headers and fragment tables for offset values that approach or exceed 2³² when added to block size
- Hash and inventory all 7-Zip installations to identify versions between 9.34 and 26.00, prioritizing 32-bit builds
- Apply YARA or static analysis rules that flag SquashFS structures with malformed fragment metadata in email gateways and file scanners
Monitoring Recommendations
- Log archive extraction events from 7z.exe and any embedded 7-Zip libraries through endpoint telemetry
- Alert on extraction of SquashFS archives from untrusted origins such as email attachments or external downloads
- Correlate extraction events with subsequent uploads of the extracted output to detect potential data exfiltration
How to Mitigate CVE-2026-48092
Immediate Actions Required
- Upgrade all 7-Zip installations to version 26.01 or later, which contains the bounds-check fix
- Replace 32-bit 7-Zip builds with the 64-bit version on supported operating systems, as 64-bit builds are not vulnerable
- Block or quarantine SquashFS archives from untrusted sources at email and web gateways until patching completes
Patch Information
7-Zip version 26.01 corrects the fragment offset validation in the SquashFS ReadBlock function. The fix performs the addition using overflow-safe arithmetic and rejects inputs where offsetInBlock + blockSize would wrap. Refer to the GitHub Security Advisory GHSL-2026-115_GHSL-2026-122 for the patch reference.
Workarounds
- Disable extraction of SquashFS-format archives in environments where the format is not required
- Restrict 7-Zip execution to 64-bit builds via application allowlisting policies
- Extract untrusted archives inside sandboxed or ephemeral virtual machines to contain any leaked memory content
# Verify installed 7-Zip version and architecture on Windows
7z.exe i | findstr /I "Version"
# On Linux, confirm 7zip package version and upgrade
7z --help | head -n 2
sudo apt-get update && sudo apt-get install --only-upgrade 7zip
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
