NAVANEM
CVE-2026-48095

7-Zip Heap Buffer Overflow via NTFS Handler Integer Overflow (CWE-190)

CVE-2026-48095 is a critical heap buffer overflow in 7-Zip versions 26.00 and earlier caused by integer overflow in NTFS stream handling, enabling arbitrary code execution.

TL;DR

  • CVE-2026-48095 is a heap buffer overflow in 7-Zip versions 26.00 and earlier caused by integer overflow (CWE-190) in the NTFS compressed stream handler
  • CVSS 8.8 (High) with network attack vector enabling arbitrary code execution or application crashes
  • Affects all systems running 7-Zip with the default NTFS handler enabled in 7z.dll
  • No public in-the-wild exploitation confirmed at the time of writing; not listed in CISA KEV
  • Upgrade to 7-Zip version 26.01 immediately to remediate

What is CVE-2026-48095?

CVE-2026-48095 is a heap buffer overflow vulnerability in 7-Zip's NTFS handler that allows attackers to execute arbitrary code or crash applications. The flaw stems from an integer overflow (CWE-190) when calculating buffer sizes for NTFS compressed streams. When processing a specially crafted NTFS image, the software allocates only 1 byte instead of the required buffer size, then writes up to 256 MB of attacker-controlled data into that undersized allocation.

Who is affected?

  • 7-Zip version 26.00 and all prior versions
  • Systems using the stock 7z.dll library with the NTFS handler enabled (default configuration)
  • Both 32-bit and 64-bit installations, though exploitation differs between architectures
  • Any application integrating the vulnerable 7z.dll component
  • Users who extract, test, or preview NTFS image files regardless of file extension

How severe is it?

The vulnerability carries a CVSS 3.1 base score of 8.8 (High) with vector CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. Breaking down the vector components:

Attack Vector (Network): Malicious NTFS images can be delivered via email, web downloads, or file shares. The NTFS handler uses signature-based matching for "NTFS " at byte offset 3, meaning crafted files trigger the vulnerable code path regardless of file extension during extraction or testing operations.

Attack Complexity (Low): Exploitation requires crafting an NTFS image with ClusterSizeLog >= 28 and CompressionUnit == 4. This drives the buffer size calculation exponent to 32, which is undefined behavior in C/C++ and collapses to a 1-byte allocation on x86/x64 architectures.

Privileges Required (None) / User Interaction (Required): No authentication is needed, but a user must open or extract the malicious file.

Impact (High across CIA): The overflow overwrites the CInStream object's vtable pointer located 304 bytes after the undersized buffer, achieving vtable hijacking for arbitrary code execution. On 32-bit builds, code execution is unconditionally achievable. On 64-bit builds, exploitation requires an 8 GB _outBuf allocation to succeed; otherwise, the attack fails closed to denial of service.

Is it being exploited?

No public in-the-wild exploitation has been confirmed at the time of writing. CVE-2026-48095 is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog. However, the technical details disclosed in the GitHub Security Lab advisory provide sufficient information for skilled attackers to develop working exploits. Organizations should treat this as a high-priority remediation target.

How to fix and mitigate it

  1. Upgrade to 7-Zip version 26.01 immediately. This release patches the integer overflow in CInStream::GetCuSize(). Download only from official sources at 7-zip.org or trusted package repositories.

  2. Inventory all 7-Zip installations across endpoints and servers. Include applications that bundle or integrate 7z.dll as a dependency.

  3. Implement file type restrictions at email gateways and web proxies to block or quarantine NTFS image files (.ntfs, .img, and other disk image formats) until patching is complete.

  4. Configure application control policies to prevent execution of outdated 7-Zip binaries:

# Example: Check 7-Zip version on Windows systems
Get-ItemProperty "HKLM:\SOFTWARE\7-Zip" | Select-Object Path
(Get-Item "C:\Program Files\7-Zip\7z.exe").VersionInfo.FileVersion

  1. Apply defense-in-depth controls including enabling DEP/ASLR enforcement and restricting archive extraction to sandboxed environments for untrusted files.

  2. Monitor vendor communications via the SourceForge discussion thread for additional guidance or indicators of compromise.

How to detect exposure

Version verification is the primary detection method. Vulnerable installations are version 26.00 or earlier.

# Linux/macOS version check
7z --help | head -n 2

# Windows PowerShell version check
& "C:\Program Files\7-Zip\7z.exe" | Select-String "7-Zip"

Network monitoring: Alert on NTFS image file downloads or email attachments. Look for files containing the byte sequence "NTFS " (NTFS followed by four spaces) at offset 3.

Endpoint detection: Configure EDR solutions to monitor for 7-Zip processes exhibiting anomalous memory allocation patterns or crashes. Heap corruption during archive operations may indicate exploitation attempts.

Log analysis: Review application crash dumps for 7z.exe, 7zG.exe, or 7zFM.exe involving access violations in the NTFS handler code paths. Windows Event Log Application entries with faulting module 7z.dll warrant investigation.

Vulnerability scanners: Update your scanning tools to detect CVE-2026-48095. Most enterprise scanners should incorporate this check following the NVD entry publication.

Frequently asked questions

Can CVE-2026-48095 be triggered without user interaction?

No. The CVSS vector indicates user interaction is required (UI:R). An attacker must convince a user to open or extract a malicious NTFS image file. However, the NTFS handler's signature-based matching means the file can have any extension, making social engineering easier.

Are 64-bit 7-Zip installations safe from this vulnerability?

Not entirely. On 64-bit builds, successful code execution requires an 8 GB memory allocation to succeed. If this allocation fails, the attack results in denial of service rather than code execution. Both outcomes represent security impacts, so patching remains essential.

Does this affect 7-Zip command-line and GUI versions equally?

Yes. The vulnerability exists in the core 7z.dll library's NTFS handler, which is used by both the command-line and GUI interfaces. Any operation that processes NTFS images, including extraction and testing, can trigger the flaw.

Can antivirus software detect malicious files exploiting this vulnerability?

Detection depends on your security solution's signature updates. Since the vulnerability involves crafted NTFS images with specific ClusterSizeLog and CompressionUnit values, security vendors may develop signatures. However, relying solely on antivirus is insufficient; patching to version 26.01 is the definitive fix.

references

#cve-2026-48095#7-zip#heap-buffer-overflow#cwe-190#integer-overflow#ntfs-handler#arbitrary-code-execution

Related topics

CVE
CVE

Android Framework Integer Overflow (Privilege Escalation Zero-Day)

Jun 1, 2026
CVE
CVE

WinRAR, NTFS ADS path-traversal arbitrary code execution (WinRAR zero-day)

Aug 8, 2025