Listen to this Post
Introduction
7-Zip versions 26.00 and earlier contain a heap buffer write overflow in their NTFS archive handler, triggered by an integer overflow in memory size calculation when processing a maliciously crafted NTFS compressed stream. This memory corruption issue, discovered and privately disclosed by Alexandre Borges via the GitHub Security Lab (GHSL-2026-140), occurs because the `CInStream::GetCuSize()` function improperly computes a buffer allocation, allowing an attacker to overwrite the vtable pointer of an adjacent heap object and fully hijack execution flow with no authentication required. The vulnerability has been publicly validated, a working proof-of-concept is available, and exploitation requires only that a victim opens a specially crafted file — making it a severe threat to millions of systems running this ubiquitous open‑source archiver.
What Undercode Say:
– This vulnerability is a textbook case of integer‑shift UB causing catastrophic undersized allocations — the kind of subtle bug that compilers cannot auto‑detect but fully weaponizable via heap spraying and vtable overwrites.
– The public availability of a PoC eliminates the “attack complexity barrier,” and organizations with unpatched 7‑Zip installations (including embedded CLI tools in CI/CD pipelines and file servers) are now at immediate, tangible risk.
Learning Objectives
– Objective 1: Understand the technical root cause of CVE-2026-48095 — including the flawed shift operation, undefined behavior on x86/x86_64, and the resulting one‑byte allocation that triggers heap overflows.
– Objective 2: Learn how to identify vulnerable 7‑Zip versions, verify the presence of the issue using both command‑line methods and Python‑based detection tools, and apply proper patch management.
– Objective 3: Master mitigation strategies, including immediate upgrade to version 26.01, source‑based recompilation for Linux environments, and integration of dynamic exploit detection tools like AddressSanitizer.
1. Technical Root Cause Analysis: From Integer Shift UB to One‑Byte Heap Allocation
The vulnerability resides in the NTFS archive handler, specifically within the `CInStream::GetCuSize()` function found in `CPP/7zip/Archive/NtfsHandler.cpp`.
What the Vulnerability Does
When processing a specially crafted NTFS image, the attacker sets two specific parameters:
– ClusterSizeLog ≥ 28 (accepted by the parser up to a value of 30)
– CompressionUnit == 4 (explicitly allowed by the NTFS handler)
These values are fed into the 32‑bit shift operation that calculates the size of the input buffer for compressed data:
UInt32 cuSize = (UInt32)1 << (BlockSizeLog + CompressionUnit);
If `BlockSizeLog = 28` and `CompressionUnit = 4`, the exponent becomes 32, which is undefined behavior in C++ when shifting a 32‑bit integer by its full bit width (or more). On x86 and x86_64 architectures, the hardware masks the shift count to the lower 5 bits, making `(UInt32)1 << 32` evaluate to 1. Consequently, `_inBuf` is allocated as a single byte instead of the intended 256 MB buffer. The subsequent `ReadStream_FALSE` function then writes up to 256 MB of attacker‑controlled data into that tiny 1‑byte buffer — in 64 KB iterations — causing a catastrophic heap overflow that corrupts adjacent heap objects.
Step‑by‑Step Guide: Reproducing and Understanding the Overflow
Step 1: Check your 7‑Zip version (Windows & Linux)
Windows (Command Prompt): "C:\Program Files\7-Zip\7z.exe" --help | findstr Version Linux (terminal): 7z --help | head -1 1
Step 2: (Conceptual) Trigger conditions
The NTFS handler is enabled by default in `7z.dll` and can be triggered without any file‑extension restriction. 7‑Zip uses a signature‑based fallback — if the file contains the bytes `NTFS␣` (where ␣ is a space) at offset 3, the handler will attempt to parse it as an NTFS image, regardless of the actual file name or extension.
Step 3: Heap layout leading to vtable hijack
The `CInStream` object sits only 304 bytes after the `_inBuf` buffer in memory. When the overflow writes beyond the 1‑byte allocation, it quickly corrupts the object’s vtable pointer. The next virtual function call dispatched by the object jumps to attacker‑controlled memory, achieving vtable hijacking and arbitrary code execution.
Step 4: Architecture differences
– 32‑bit builds: The overflow is unconditional and leads directly to reliable exploitation.
– 64‑bit builds: Requires the parallel `_outBuf` allocation (8 GB) to succeed. On systems with ≥16 GB of RAM, this is feasible; otherwise, the overflow fails closed to a denial‑of‑service crash.
Step 5: Weaponization requirements (in practice)
Full weaponization of the vtable hijack needs an ASLR bypass — but the widespread availability of memory disclosure primitives in 2026 makes this a manageable obstacle for determined attackers. The existence of a public Python PoC generator means that crafting malicious files is now trivial.
2. Detection, Verification, and Immediate Mitigation via Upgrade to 26.01
The only complete mitigation is upgrading to 7‑Zip version 26.01, released on April 27, 2026 — the same day the private report was made. No official workaround or configuration change can reliably prevent this overflow.
Step‑by‑Step Guide: Upgrade and Validate
Windows (GUI method)
1. Download the installer from the official 7‑Zip website
2. Run the installer (it will automatically replace the existing installation)
3. After installation, verify the version in Command
"C:\Program Files\7-Zip\7z.exe" --help
The displayed version should be 26.01 or later.
Windows (silent/unattended update for enterprise environments)
"C:\Program Files\7-Zip\7z.exe" --version msiexec /i 7z2601.msi /quiet /norestart
Linux (package manager — Debian/Ubuntu)
sudo apt update sudo apt upgrade 7zip 7z --help | head -1 1
Linux (package manager — RHEL/CentOS/Fedora)
sudo dnf update 7zip or sudo yum update 7zip
Linux (from source, for hardened or embedded builds)
wget https://www.7-zip.org/a/7z2408-src.7z 7z x 7z2408-src.7z cd CPP/7zip/Bundles/Alone2 make -f makefile.gcc sudo cp _o/7zz /usr/local/bin/7zz
Detection Scripts and Exploit Verification
Python‑based detection (requires the PoC from GitHub Security Lab)
import os
import subprocess
def check_7zip_version():
try:
result = subprocess.run(['7z', '--help'], capture_output=True, text=True)
for line in result.stdout.split('\n'):
if 'Version' in line:
version_str = line.split()[-1]
if version_str <= '26.00':
print(f"[!] VULNERABLE: 7-Zip {version_str} (<= 26.00)")
print("[!] Upgrade to 26.01 immediately.")
else:
print(f"[✓] Secure: 7-Zip {version_str} (>= 26.01)")
return
except Exception as e:
print(f"[-] Error: {e}")
if __name__ == "__main__":
check_7zip_version()
Linux one‑liner inventory scan for enterprise networks
Find all vulnerable 7‑Zip installations across mounted filesystems find / -1ame "7z" -o -1ame "7zz" -o -1ame "7za" 2>/dev/null | while read bin; do version=$($bin --help 2>&1 | grep -i version | head -11) echo "$bin: $version" done | grep -E "26\.00|25\.[0-9]|24\.[0-9]|23\."
AddressSanitizer (ASan) compile for proactive testing (Linux)
For developers compiling 7‑Zip from source to test for heap overflow behavior:
Clone the vulnerable source (for educational/testing use only) git clone https://github.com/ip7z/7zip.git cd 7zip/CPP/7zip/Bundles/Alone2 Compile with ASan to detect the overflow at runtime g++ -fsanitize=address -g -O1 -I../../../ \ .cpp ../../../Common/.cpp ../../../Windows/.cpp \ -o 7zz_asan
3. Enterprise Hardening and Long‑Term Remediation
Beyond the immediate upgrade, organizations should implement additional layers of defense to mitigate future archive‑based exploits.
Step‑by‑Step Guide: Hardening Against Malicious Archive Processing
Step 1: Implement file type validation at the perimeter
Inspect files for the `NTFS␣` signature at offset 3 — this characteristic string can be used to block malicious files at mail gateways or web proxies.
Step 2: Deploy application control (Windows AppLocker, Linux seccomp)
Restrict 7‑Zip execution to trusted directories only, and consider running archive extraction tools in sandboxed environments (e.g., Windows Sandbox, Firejail on Linux, or containerized extraction services).
Step 3: Enable heap protection mechanisms
– On Windows: Enable Windows Defender Exploit Guard (Heap Protection and ACG) for any process that invokes `7z.dll`.
– On Linux: Run 7‑Zip under gdb with custom breakpoints or use PaX/grsecurity if available.
Step 4: Monitor for exploitation attempts
Use SIEM rules to detect abnormal 7‑Zip behavior:
– Unexpected crashes of `7z.exe` or `7z.dll` processes
– 7‑Zip processes spawning child processes (indicative of RCE)
– Unusually large memory allocations (the 8 GB `_outBuf` allocation may appear in process memory profiling)
Step 5: For system integrators (embedding 7‑Zip in products)
Replace dynamic invocations of 7‑Zip with a microservice that runs the archiver with minimal privileges, extensive logging, and automatic restarts after any crash or suspicious exit code.
4. Timeline, Disclosure, and Current Status
The vulnerability was discovered by Alexandre Borges in April 2026. The reporting timeline is critically short:
| Date | Event |
||-|
| 2026-04-24 | Report delivered to 7‑Zip team via SourceForge private issue |
| 2026-04-27 | Version 26.01 released with the fix |
| 2026-05-22 | Public disclosure via GitHub Security Lab advisory (GHSL-2026-140) |
| 2026-05-26‑29 | Public Python PoC appears; media coverage escalates |
| 2026-06-05 | CVE-2026-48095 officially published |
The four‑day window between private disclosure and patch release is commendable, but the 26‑day gap between patch and public disclosure left many systems exposed. With PoC code now widely available, the vulnerability is considered actively weaponizable.
5. Broader Implications for Open‑Source Security and Archive Handlers
This vulnerability is not an isolated incident. 7‑Zip has suffered multiple heap‑based overflows in its archive parsers over the years — including CVE-2023-52168 (NTFS handler, 2023) and CVE-2025-53816 (RAR5 handler, 2025). The pattern is unmistakable: hand‑written C++ parser code for complex archive formats is an ongoing source of memory corruption bugs.
Developers and security teams should treat any file‑parsing library as a potential attack surface and adopt defense‑in‑depth measures such as:
– Fuzzing of all file formats (using tools like AFL++ or libFuzzer)
– Memory‑safe languages for new parser implementations (Rust, Go)
– Sandboxing of extraction logic away from critical processes
What Undercode Say:
– The CVE-2026-48095 vtable hijack is a classic result of mixing bitwise shift UB with implicit type assumptions — the C++ standards committee has been warning about this for decades, yet production code continues to rely on hardware‑defined shift masking behavior. This gap between “standards compliance” and “practical exploitation” is where real attacks live.
– The four‑day patch turnaround is excellent, but the public disclosure timing (one month later, after a PoC was already available) left defenders in an impossible position: upgrade before or after understanding the risk? In 2026, security teams must assume that any patch labeled “security‑related” is immediately relevant and deploy it within 48 hours, regardless of public details.
– The persistence of heap‑based bugs in archive parsers (NTFS, RAR5, and others) across multiple versions of 7‑Zip suggests that traditional code review and static analysis are insufficient. The open‑source community needs a dedicated, funded effort to rewrite critical parsing logic in memory‑safe languages — otherwise, we will keep seeing CVE after CVE in this extremely popular utility that sits on virtually every developer’s machine.
Prediction
– -1 Expect an uptick in malvertising and email‑borne campaigns embedding malicious NTFS images within password‑protected ZIP files (to bypass antivirus scanning), targeting the long tail of individuals and small businesses that do not automatically update software.
– -1 Enterprise environments that rely on automated archive scanning (e.g., email gateways, document management systems) will face a higher risk surface if they use vulnerable 7‑Zip libraries in backend extractors. Some of these systems may go unpatched for weeks, enabling worm‑like propagation via shared network drives.
– +1 The public availability of a robust PoC will accelerate fuzzing research and the development of more generalized detection rules for heap‑based vtable hijacks, ultimately raising the bar for similar bugs in other archivers (WinRAR, PeaZip, etc.).
– -1 As of June 2026, the lack of an automatic update mechanism in 7‑Zip (a deliberate design choice) will remain a systemic risk factor. Future supply‑chain attacks could pivot through compromised 7‑Zip mirrors or source repositories, injecting backdoors into widely distributed archives — and this CVE serves as a stark reminder that static third‑party dependencies must be actively managed, not assumed safe.
Disclaimer: The commands, code snippets, and methodologies described above are intended for legitimate security testing, education, and system hardening only. Unauthorized use of this information to craft malicious files or attack systems violates computer fraud and abuse laws in most jurisdictions. Always obtain proper authorization before testing any vulnerability on systems you do not own or manage.
🎯Let’s Practice For Free:
🎓 Live Courses & Certifications:
[Join Undercode Academy for Verified Certifications](https://undercode.co.uk/certifications/)
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[[email protected]](mailto:[email protected])
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
IT/Security Reporter URL:
Reported By: [Aleborges Vulnerability](https://www.linkedin.com/posts/aleborges_vulnerability-cybersecurity-informationsecurity-share-7465456962403463170-uo7J/) – Hackers Feeds
Extra Hub: Undercode MoN
Basic Verification: Pass ✅
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
[💬 Whatsapp](https://undercode.help/whatsapp) | [💬 Telegram](https://t.me/UndercodeCommunity)
📢 Follow UndercodeTesting & Stay Tuned:
[𝕏 formerly Twitter 🐦](https://x.com/undercodeupdate) | [@ Threads](https://www.threads.net/@undercodetesting) | [🔗 Linkedin](https://www.linkedin.com/company/undercodetesting/) | [🦋BlueSky](https://bsky.app/profile/undercode.bsky.social)
