A new security vulnerability has emerged in 7-Zip, one of the world’s most widely used file archiving tools. The vulnerability, tracked under the code CVE-2026-48095, can cause code execution on the system or the application to crash by opening specially prepared archive files. The vulnerability affects 7-Zip 26.00 and earlier versions. The problem was fixed with version 26.01. 7-Zip users need to upgrade to version 26.01.
The new vulnerability in 7-Zip was announced by GitHub Security Lab with the code GHSL-2026-140. The vulnerability was detected by Jaroslav Lobačevski from the GitHub Security Lab team. The report was forwarded to the 7-Zip team as a special notification via SourceForge on April 24, 2026. 7-Zip version 26.01 was released with the fix on April 27, 2026. The vulnerability is tracked with the code CVE-2026-48095. The vulnerability, which received 8.8 points in the CVSS 3.1 scoring, is at the “high” severity level.
The issue stems from a memory overflow error in the archive handler that 7-Zip uses when processing NTFS-based image files. The technical cause of the vulnerability is an incorrect calculation of the buffer size allocated for the NTFS compressed data stream. Attacker-controlled values in a specially crafted NTFS image cause 7-Zip to allocate a much smaller memory space than it should. Then, during the process, larger data is written to this small area and a heap-based memory overflow occurs.
According to GitHub Security Lab’s statement, the error is located in the NTFS archive handler component of 7-Zip. The issue is related to undefined behavior that occurs during calculation in the GetCuSize function. When certain values are used, 7-Zip can allocate a 1-byte buffer for compressed data. On the other hand, much larger attacker-controlled data can be written to this area during the process. Researchers state that this situation can even lead to code execution via vtable hijack.
The effect may vary depending on the platform used and system memory. While there is a risk of code execution on some systems, application crashes or disabling effects may occur on some systems. To trigger the vulnerability, the user simply needs to open a specially prepared archive file. According to GitHub Security Lab’s technical analysis, the attack surface is not limited to files with .ntfs or .img extensions. Due to 7-Zip’s signature-based format detection structure, the malicious NTFS image can be sent to the user with different extensions.
This opens the door to more common archive extensions such as .7z, .zip or .rar being used in the attack scenario. Even if the file extension points to another archive format, 7-Zip can try other handlers when the initial format match fails and can open the file through the NTFS handler when it detects the NTFS signature. According to the information provided by TechSpot, the vulnerability concerns both end users and system administrators.
7-Zip is used on many systems not only with its desktop interface but also with its command line version and libraries. For this reason, Windows and Linux systems using the old version can become part of the attack surface. The vulnerability was tested in 7-Zip version 26.00. GitHub Security Lab points to all versions 26.00 and earlier as the affected versions. The problem was fixed with version 26.01. The official 7-Zip download page includes 26.01 packages for Windows x64, Windows x86, Windows ARM64, Linux x86-64, Linux ARM and macOS.
A working PoC code was also shared in the security advisory to demonstrate the vulnerability. PoC can trigger the error by creating a specially prepared NTFS image. Therefore, the update should not be delayed. Users should only update 7-Zip from the official 7-zip.org website or reliable package managers. You can check which version of 7-Zip is installed on the system from the help and about section within the application.
On systems using the command line version, 7z or 7zz version information should also be checked.
Comments
You can write your views about this story. Comments may be moderated according to site settings.