CVE-2026-48101 Overview
CVE-2026-48101 is an uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser of 7-Zip. The flaw affects versions 9.21 through 26.00 and is fixed in version 26.0.1. The OpenCapsule function allocates a heap buffer based on an attacker-declared CapsuleImageSize field, up to 1 GiB, without zero-initialization. The parser then reads file contents using ReadStream_FALSE and discards the return value, leaving the unread tail of the buffer populated with prior heap contents. When GetStream exposes this buffer as extracted output, attacker-supplied archives can leak sensitive heap memory from the 7-Zip process.
Critical Impact
A crafted .scap archive can disclose uninitialized heap memory from the 7-Zip process to a victim who extracts the file, potentially exposing secrets, addresses, or other sensitive runtime data [CWE-908].
Affected Products
- 7-Zip version 9.21 through 26.00
- 7-Zip command-line and GUI builds including the UEFI capsule handler
- Downstream tools and pipelines that embed the 7-Zip extraction engine
Discovery Timeline
- 2026-06-05 - CVE-2026-48101 published to NVD
- 2026-06-11 - Last updated in NVD database
Technical Details for CVE-2026-48101
Vulnerability Analysis
The defect resides in the UEFI capsule parser used by 7-Zip to handle .scap archives. When opening a capsule, OpenCapsule trusts the CapsuleImageSize field declared in the file header and allocates a heap buffer of that size. The allocation does not clear memory, so the buffer initially holds whatever data the heap allocator returned from prior use. 7-Zip then reads the file body into this buffer with ReadStream_FALSE, but the function does not abort on short reads and its return code is ignored. A truncated capsule therefore fills only a prefix of the buffer, while the tail retains the original uninitialized heap contents. The same buffer is later passed through GetStream as legitimate extracted content, so the leaked memory is written to disk or piped to downstream consumers. Because attackers control CapsuleImageSize up to 1 GiB, they can choose how much heap data to siphon per archive. The disclosed bytes can include cryptographic material, pointers useful for bypassing ASLR, or fragments of previously processed files. The issue is tracked as [CWE-908: Use of Uninitialized Resource].
Root Cause
The root cause is missing zero-initialization on a heap buffer combined with ignored read-length validation. The parser conflates allocated capacity with valid file content, exposing residual heap bytes whenever the input file is shorter than the declared CapsuleImageSize.
Attack Vector
Exploitation requires a victim to open or extract a malicious .scap archive with a vulnerable 7-Zip build. The attack vector is network-delivered files, such as email attachments, web downloads, or shared storage. No privileges are required, but user interaction is needed to trigger extraction.
No verified public exploit code is available. See the GitHub Security Lab advisory linked below for technical details on the vulnerable code paths.
Detection Methods for CVE-2026-48101
Indicators of Compromise
- Inbound .scap files with a CapsuleImageSize header value substantially larger than the actual file size on disk
- Extracted output from 7-Zip containing high-entropy or non-structured trailing bytes inconsistent with declared content
- Repeated extraction attempts of the same crafted capsule, indicative of memory-harvesting attempts
Detection Strategies
- Inspect archive metadata at the mail or web gateway and flag .scap files whose declared image size exceeds the physical file size
- Monitor endpoints for execution of 7z.exe, 7zG.exe, or 7zz against .scap inputs and correlate with versions older than 26.0.1
- Build a software inventory query to identify hosts running 7-Zip versions 9.21 through 26.00
Monitoring Recommendations
- Log archive extraction events, including source path, file type, and 7-Zip version, to a central data lake for retrospective analysis
- Alert on outbound transfers of files produced by 7-Zip immediately after extraction of .scap inputs from untrusted sources
- Track process command lines invoking 7-Zip with capsule files and correlate against threat intelligence on malicious archive distribution
How to Mitigate CVE-2026-48101
Immediate Actions Required
- Upgrade all 7-Zip installations to version 26.0.1 or later across endpoints, servers, and build systems
- Block .scap attachments at email and web gateways until patching is verified
- Audit automated extraction pipelines that process untrusted archives and pin them to the fixed 7-Zip release
Patch Information
The maintainer released 7-Zip 26.0.1, which corrects the uninitialized buffer handling in OpenCapsule and validates the result of ReadStream_FALSE. Refer to the GitHub Security Lab Advisory GHSL-2026-115/GHSL-2026-122 for the full advisory and patch references.
Workarounds
- Disassociate the .scap extension from 7-Zip and refuse to process UEFI capsules through general-purpose archivers
- Restrict archive extraction of untrusted files to sandboxed or ephemeral environments where leaked heap data has no sensitive value
- Enforce application allowlisting so older 7-Zip binaries cannot execute against attacker-supplied content
# Example: query installed 7-Zip versions on Windows endpoints via PowerShell
Get-ItemProperty HKLM:\Software\7-Zip, HKLM:\Software\WOW6432Node\7-Zip -ErrorAction SilentlyContinue |
Select-Object PSPath, Path, @{n='Version';e={(Get-Item (Join-Path $_.Path '7z.exe')).VersionInfo.ProductVersion}}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
