CVE-2026-48095 Overview
CVE-2026-48095 is a heap buffer overflow in 7-Zip versions 26.00 and prior. The flaw resides in the NTFS handler's compressed stream buffer allocation. A crafted NTFS image triggers undefined behavior in a shift operation, causing _inBuf to be allocated as a single byte. The handler then writes up to 256 MB of attacker-controlled data into that buffer, overwriting the adjacent CInStream vtable pointer. The result is a vtable hijack leading to arbitrary code execution. The NTFS handler is enabled by default and matches images via signature, so extension renaming does not prevent processing. Version 26.01 contains the fix.
Critical Impact
Opening or testing a malicious NTFS image in 7-Zip can yield arbitrary code execution through a vtable hijack in the user's context.
Affected Products
- 7-Zip versions 26.00 and prior (all platforms shipping 7z.dll with the NTFS handler)
- 32-bit builds reach the overflow unconditionally
- 64-bit builds are exploitable when the parallel 8 GB _outBuf allocation succeeds
Discovery Timeline
- 2026-06-05 - CVE-2026-48095 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-48095
Vulnerability Analysis
The vulnerability is an integer overflow leading to a heap buffer overflow [CWE-190]. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size with the expression (UInt32)1 << (BlockSizeLog + CompressionUnit). When a crafted image specifies ClusterSizeLog >= 28 and CompressionUnit == 4, the shift exponent reaches 32. Shifting a 32-bit value by 32 bits is undefined behavior in C/C++. On x86 and x64 the result collapses such that _inBuf is allocated as 1 byte. ReadStream_FALSE subsequently writes up to 256 MB of attacker-controlled data in 64 KB iterations into the one-byte allocation.
Root Cause
The shift expression does not validate that BlockSizeLog + CompressionUnit stays within the width of a 32-bit integer. The under-allocation propagates downstream because the read routine does not verify the buffer capacity against the input length.
Attack Vector
An attacker delivers a crafted NTFS image to the victim. Extraction or testing through 7-Zip processes the file because signature-based detection matches the NTFS string at offset 3 regardless of file extension. After the overflow, the CInStream object's vtable pointer sits 304 bytes after _inBuf and is overwritten. The next virtual dispatch transfers control to an attacker-chosen address. User interaction is required to open or test the archive.
No verified public proof-of-concept code is available. Refer to the GitHub Security Advisory GHSL-2026-140 for the technical write-up.
Detection Methods for CVE-2026-48095
Indicators of Compromise
- NTFS image files containing ClusterSizeLog >= 28 and CompressionUnit == 4 in the boot sector parameters
- Files matching the NTFS signature at byte offset 3 that are not legitimate filesystem images
- 7-Zip process crashes or anomalous child processes spawned during archive extraction
Detection Strategies
- Inspect inbound archives and disk images at the email and web gateway for malformed NTFS boot sector fields
- Hunt for 7zG.exe, 7zFM.exe, or 7z.exe spawning shells, scripting engines, or network utilities
- Alert on 7-Zip process termination with access violation exit codes when handling archive content
Monitoring Recommendations
- Log file open events for .img, .iso, .vhd, and arbitrary extensions processed by 7-Zip binaries
- Capture parent-child process relationships for any 7-Zip executable across endpoints
- Track installed 7-Zip versions across the fleet and flag hosts running 26.00 or earlier
How to Mitigate CVE-2026-48095
Immediate Actions Required
- Upgrade all 7-Zip installations to version 26.01 or later
- Inventory endpoints, build servers, and forensic workstations for older 7-Zip binaries and 7z.dll redistributions
- Block delivery of disk image attachments at the email gateway until patching completes
Patch Information
The maintainer addressed the issue in 7-Zip 26.01. The fix validates the shift exponent in CInStream::GetCuSize() before allocating _inBuf. Obtain the release from the official 7-Zip distribution channels and the SourceForge 7-Zip Discussion Thread.
Workarounds
- Do not open or test untrusted archives and disk images with vulnerable 7-Zip versions
- Restrict 7-Zip use to a sandboxed account or isolated VM until upgrades are complete
- Strip or quarantine NTFS-signature files at the perimeter when 7-Zip extraction is not required
# Verify installed 7-Zip version on Windows
reg query "HKLM\SOFTWARE\7-Zip" /v Path
"C:\Program Files\7-Zip\7z.exe" | findstr /C:"7-Zip"
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
