CVE-2026-48111 Overview
CVE-2026-48111 is an off-by-one out-of-bounds read [CWE-125] in the 7-Zip UEFI firmware image parser. The flaw resides in the ParseDepedencyExpression function within CPP/7zip/Archive/UefiHandler.cpp. Versions 9.21 through 26.00 of 7-Zip are affected, and the UEFI handler is enabled by default in stock 7z.dll. An attacker crafts a UEFI archive containing a SECTION_DXE_DEPEX or SECTION_PEI_DEPEX section with an opcode of 0x0A, triggering the read past the end of the 10-entry kExpressionCommands array. Exploitation requires a user to open the malicious archive. Version 26.01 fixes the issue.
Critical Impact
Opening a crafted archive can crash 7-Zip or leak adjacent .rdata string literals into archive metadata, depending on linker layout.
Affected Products
- 7-Zip versions 9.21 through 26.00
- Stock 7z.dll with UEFIc format detection
- Stock 7z.dll with UEFIf format detection
Discovery Timeline
- 2026-06-05 - CVE-2026-48111 published to NVD
- 2026-06-08 - Last updated in NVD database
Technical Details for CVE-2026-48111
Vulnerability Analysis
The vulnerability is an off-by-one out-of-bounds read in 7-Zip's UEFI archive handler. ParseDepedencyExpression validates an attacker-controlled opcode byte against the size of the static kExpressionCommands array. The check uses > instead of >=, permitting an opcode value of 10 to index one slot past the end of the 10-entry array. On x64 builds, this reads 8 bytes of adjacent .rodata as a const char * pointer.
The out-of-bounds pointer is then passed through strlen and memcpy into the archive's Characts property. Two outcomes are possible per build, deterministic but linker-layout dependent. If the adjacent bytes do not form a readable pointer, an access violation crashes the process. If they do, the parser silently copies an adjacent .rdata string literal into archive metadata.
There is no write primitive, no heap data exposure, and no disclosure of secrets or ASLR base addresses. The vulnerability is reached automatically during IInArchive::Open().
Root Cause
The boundary comparison in ParseDepedencyExpression uses a strict greater-than operator against ARRAY_SIZE(kExpressionCommands). The static array contains exactly 10 entries indexed 0 through 9. The flawed comparison accepts opcode value 10 as in-range, producing the off-by-one read.
Attack Vector
An attacker delivers a malicious UEFI capsule or firmware volume archive. When the victim opens it with 7-Zip, signature-based format detection routes the file through the UEFI handler. The call path OpenFv or OpenCapsule invokes ParseVolume, which calls ParseSections. Encountering a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A triggers the out-of-bounds read. See the GitHub Security Advisory for further technical context.
Detection Methods for CVE-2026-48111
Indicators of Compromise
- UEFI capsule or firmware volume archives containing SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) sections with a first body byte of 0x0A.
- Unexpected crashes of 7z.exe, 7zG.exe, or 7zFM.exe when opening archives identified as UEFIc or UEFIf format.
- Archive metadata Characts fields containing strings that resemble internal 7-Zip program literals.
Detection Strategies
- Inspect inbound archive files for the UEFI capsule signature and scan for DEPEX sections whose opcode byte equals 0x0A.
- Monitor process telemetry for access violations and abnormal termination of 7-Zip binaries at versions at or below 26.00.
- Hunt endpoint inventory for installed 7-Zip versions in the vulnerable range 9.21 through 26.00.
Monitoring Recommendations
- Alert on execution of vulnerable 7-Zip versions handling files with .cap, .fd, .rom, or other firmware image extensions.
- Track user-driven archive opens originating from email attachments, browser downloads, or removable media.
- Correlate 7-Zip crashes with the source of the parsed archive for incident scoping.
How to Mitigate CVE-2026-48111
Immediate Actions Required
- Upgrade 7-Zip to version 26.01 or later on all endpoints and build agents.
- Inventory installations and remove unsupported or unmanaged copies of the vulnerable binaries.
- Treat unsolicited UEFI firmware images and capsules as untrusted until scanned and verified.
Patch Information
The maintainer fixed the boundary check in 7-Zip version 26.01. Refer to the GitHub Security Advisory GHSL-2026-115 / GHSL-2026-122 for the official remediation details.
Workarounds
- Avoid opening UEFI capsule or firmware volume archives from untrusted sources until patched.
- Disable or remove the UEFI handler from custom 7-Zip distributions where firmware parsing is not required.
- Restrict execution of 7-Zip on systems that do not need archive extraction through application control policies.
# Verify installed 7-Zip version on Windows endpoints
(Get-Item "C:\Program Files\7-Zip\7z.exe").VersionInfo.ProductVersion
# Example fleet check (PowerShell)
Get-CimInstance Win32_Product | Where-Object { $_.Name -like "7-Zip*" } | Select-Object Name, Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
