CVE-2026-48102 Overview
CVE-2026-48102 is a heap out-of-bounds read vulnerability in 7-Zip, the widely used open-source file archiver. The flaw resides in the Universal Disk Format (UDF) disc image handler, specifically the File Identifier Descriptor parser at CFileId::Parse in CPP/7zip/Archive/Udf/UdfIn.cpp. Versions 9.11 through 26.00 are affected, and version 26.01 contains the fix.
The vulnerability allows an attacker to read up to 3 bytes past an exact-size heap buffer when a victim opens a crafted .iso or .udf file. Because 7-Zip auto-detects UDF images by signature, the issue triggers during listing or extraction.
Critical Impact
Crafted UDF images cause a 1-to-3 byte heap out-of-bounds read, enabling limited information disclosure and denial of service. No write primitive exists.
Affected Products
- 7-Zip versions 9.11 through 26.00
- File handlers for .iso and .udf archive types
- Any application or workflow that bundles or invokes 7-Zip libraries to process UDF disc images
Discovery Timeline
- 2026-06-05 - CVE-2026-48102 published to NVD
- 2026-06-10 - Last updated in NVD database
- Advisory published by GitHub Security Lab as GHSL-2026-115
Technical Details for CVE-2026-48102
Vulnerability Analysis
The vulnerability is an out-of-bounds read [CWE-125] in the UDF File Identifier Descriptor parser. After validating that size < 38 + idLen + impLen and advancing the processed counter to 38 + impLen + idLen, the parser enters an alignment-padding loop. This loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary.
The bounds check processed <= size only executes after the loop completes. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size).
Impact is constrained. The OOB read can leak heap-adjacent memory through a 1-bit oracle per byte derived from open or fail behavior. Under hardened allocators, the read can crash the process, producing a denial of service. The flaw provides no write primitive and no direct code execution path.
Root Cause
The defect is a misordered bounds validation. The parser advances a pointer before confirming the new position remains within the allocated buffer. The post-loop boundary check arrives too late, after the unsafe reads have already occurred.
Attack Vector
Exploitation requires user interaction. An attacker delivers a crafted UDF disc image via email, web download, or shared storage. The UDF handler is registered for .iso and .udf extensions and is also selected by signature auto-detection, so renaming the file does not prevent triggering. When the victim opens, lists, or extracts the archive with a vulnerable 7-Zip version, CFileId::Parse executes and the OOB read occurs.
The vulnerability mechanism is documented in the GitHub Security Lab advisory GHSL-2026-115. No public proof-of-concept exploit is currently listed in Exploit-DB.
Detection Methods for CVE-2026-48102
Indicators of Compromise
- Unexpected crashes of 7z.exe, 7zG.exe, or 7zFM.exe when opening .iso or .udf files, particularly under hardened allocators or with Page Heap enabled
- Repeated open attempts against the same UDF or ISO file from email attachments or browser downloads
- Inbound .iso or .udf attachments with abnormally small payloads sized to trigger boundary conditions in the File Identifier Descriptor
Detection Strategies
- Inventory endpoints for installed 7-Zip versions and flag any release between 9.11 and 26.00
- Inspect process telemetry for 7-Zip child processes spawned by mail clients, browsers, or Office applications opening UDF or ISO files
- Hunt for crash events with exception code 0xC0000005 (access violation) in 7-Zip modules in Windows Error Reporting logs
Monitoring Recommendations
- Capture and review file-open events targeting .iso and .udf extensions originating from untrusted sources
- Alert on user-mode crashes of 7-Zip binaries to surface either exploitation attempts or post-patch regression
- Correlate archive-handler activity with email and web gateway delivery logs to identify the source of malicious UDF images
How to Mitigate CVE-2026-48102
Immediate Actions Required
- Upgrade 7-Zip to version 26.01 or later on all endpoints, servers, and build systems
- Audit third-party software that bundles 7-Zip libraries (7z.dll, 7za.dll) and apply vendor updates that incorporate the fix
- Block delivery of .iso and .udf attachments at email and web gateways where business workflows do not require them
Patch Information
7-Zip version 26.01 corrects the bounds check in CFileId::Parse within CPP/7zip/Archive/Udf/UdfIn.cpp. Download the patched build from the official 7-Zip distribution and validate version strings post-deployment. Refer to the GitHub Security Lab advisory for technical details.
Workarounds
- Disassociate .iso and .udf extensions from 7-Zip until the patched version is deployed
- Instruct users not to open disc image archives received from untrusted sources
- Run 7-Zip operations on untrusted archives inside an isolated sandbox or virtual machine to contain potential information disclosure or crash impact
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
