7-Zip CVE-2026-48095: Critical RCE Vulnerability Patched

Overview: Heap Overflow in the NTFS Handler

On May 22, 2026, the GitHub Security Lab published advisory GHSL-2026-140 covering a critical vulnerability in 7-Zip. CVE-2026-48095 describes a heap-based buffer overflow in the NTFS archive handler of 7-Zip 26.00, triggered—according to the advisory—by faulty buffer sizing inside the CInStream::GetCuSize() function. The CVSS 3.1 score is 8.8 (High); the flaw permits remote code execution simply by opening a crafted file.

Critical Facts

CVE ID: CVE-2026-48095

CVSS 3.1: 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

CWE: CWE-787 (Out-of-bounds Write), CWE-190 (Integer Overflow)

Affected: 7-Zip 26.00 (and potentially earlier versions)

Fixed in: 7-Zip 26.01 (released April 27, 2026)

Public disclosure: May 22, 2026 (GHSL-2026-140)

PoC status: Working proof-of-concept publicly available

The vulnerability was discovered by Jaroslav Lobačevski (GHSL team member “@JarLob”). In their statement, the GitHub Security Lab explains that a specifically crafted NTFS image causes a shift operator with exponent 32 to execute in the code path. This triggers undefined behavior in C++ and allocates only 1 byte instead of several hundred megabytes. Into this 1-byte buffer, 7-Zip then writes up to 256 MB of attacker-controlled data—a textbook heap overflow with immediate impact on adjacent objects.

Technical Analysis: From Shift to vtable Hijack

According to GHSL-2026-140, the bug originates in this compression-unit size calculation: (UInt32)1 << (BlockSizeLog + CompressionUnit). The NTFS parser accepts cluster sizes up to 2^30 bytes. An attacker selects ClusterSizeLog ≥ 28 combined with CompressionUnit == 4 in the crafted NTFS image. The shift exponent thereby reaches 32, which—on a 32-bit data type—is undefined behavior under the C++ standard.

Malicious calculation path (simplified)

// CInStream::GetCuSize() in the NTFS handler implementation
UInt32 GetCuSize() {
    // BlockSizeLog is derived from cluster-size-log (>= 28 possible)
    // CompressionUnit is freely settable in the NTFS compressed attribute (up to 4)
    // With BlockSizeLog=28 and CompressionUnit=4 the exponent becomes 32.
    return (UInt32)1 << (BlockSizeLog + CompressionUnit);  // UB at >= 32
}

// Result: _inBuf is allocated as just 1 byte on x86/x64.
// Subsequently 7-Zip reads 256 MB of compressed cluster data into _inBuf.

The GitHub Security Lab describes the exploitation chain precisely: after only the first 304 bytes of overrun, the vtable pointer of an adjacently allocated CInStream object is overwritten. On the second Read() call, the program dispatches via the corrupted pointer—a textbook vtable hijack. The attacker thereby gains control of the instruction pointer.

Abstract visualization of a heap overflow with memory regions spilling into adjacent structures — A 1-byte buffer receives 256 MB of data—the classic heap overflow overwrites adjacent objects, including the vtable pointer.

32-bit versus 64-bit Builds

According to the SOC Prime analysis and the GHSL advisory, 32-bit builds are fundamentally susceptible to code execution.

On 64-bit systems, code execution is possible if at least 16 GB of RAM are available. Systems with less memory typically respond with denial of service via process crash.

Because the 64-bit architecture must physically address the overwritten region, available RAM determines the outcome: crash vs. RCE.

Attack Surface: Any File Extension Is Dangerous

What makes CVE-2026-48095 particularly insidious is the MIME-magic behavior of 7-Zip. The software does not identify archives solely by file extension—it falls back to signature-based detection when the registered handler rejects the file. The NTFS handler responds to the signature "NTFS " at byte offset 3, regardless of whether the file has the extension .7z, .zip, .rar, or no extension at all.

Exploitation chain per GHSL-2026-140

1Attacker creates a crafted NTFS image with ClusterSizeLog ≥ 28 and CompressionUnit == 4.
2The image is distributed with any extension (.zip, .7z, .rar, no extension) via email or download.
3Victim opens the file in 7-Zip 26.00 — the registered handler fails, the NTFS handler takes over by signature.
4CInStream::GetCuSize() calculates a buffer size of 1 byte due to undefined behavior.
5ReadStream_FALSE() writes 64 KB per read iteration into the 1-byte buffer.
6After 304 bytes the vtable pointer of the adjacent CInStream object is overwritten.
7On the next virtual function call the program dispatches via the attacker-controlled pointer — RCE.

For the attack precondition “user interaction required” (UI:R in the CVSS vector), a single double-click on a seemingly harmless archive file is enough. Combined with phishing campaigns, cloud-sharing links, and tampered download portals, the bar for a successful attack is low.

Impact: Who Is Affected?

With an estimated hundreds of millions of installations, 7-Zip is one of the most widely used archiving tools worldwide—on consumer and enterprise endpoints, bundled in software distributions, and embedded as a library in third-party products. The table below summarizes the directly affected configurations.

Configuration	Likely outcome	Risk
7-Zip 26.00 (32-bit) on Windows	Remote code execution possible	Critical
7-Zip 26.00 (64-bit) with ≥ 16 GB RAM	Remote code execution possible	Critical
7-Zip 26.00 (64-bit) with < 16 GB RAM	Denial of service (process crash)	High
Third-party software with 7-Zip library 26.00	Likely vulnerable, wrapper-dependent	High
7-Zip 26.01 or newer	Not affected	Safe

Widespread distribution via third-party software

7-Zip is integrated as a library by numerous tools—e.g., for container builds, backup solutions, mail gateways, and forensic software. These embedded versions are often not automatically updated by endpoint patch management and frequently surface only via an SBOM inventory.

Recommended Actions

Remediating the flaw itself is trivial—7-Zip 26.01, released April 27, 2026, contains the fix. The challenge is completely locating every installation. The following four steps describe a pragmatic response:

Inventory

Audit all endpoints and servers for 7-Zip installations. Use distribution software (e.g., Intune, SCCM) and EDR telemetry to identify version 26.00.

SBOM reconciliation

Scan third-party software inventory (SBOM) for embedded 7-Zip libraries. Pay particular attention to backup, forensic, and container tooling.

Distribute update

Roll out 7-Zip 26.01 centrally. For third-party software, await vendor patches or evaluate temporary workarounds.

Sharpen monitoring

Correlate 7-Zip process crashes in the SIEM. Suspicious archive openings followed by crashes indicate exploitation attempts.

Abstract visualization of a patch management dashboard with connected endpoints and protection indicators — Centralized patch management and SBOM reconciliation dramatically accelerate the response to vulnerabilities like CVE-2026-48095.

PowerShell – Audit 7-Zip versions on Windows endpoints

# List local installations from the registry
Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\* |
  Where-Object { $_.DisplayName -like "*7-Zip*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

# Example output:
# DisplayName     DisplayVersion  InstallLocation
# -----------     --------------  ---------------
# 7-Zip 26.00     26.00           C:\Program Files\7-Zip\

# Remote query across multiple hosts (inventory)
$hosts = Get-Content .\inventory.txt
Invoke-Command -ComputerName $hosts -ScriptBlock {
  (Get-ItemProperty HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall\*).
    Where({ $_.DisplayName -like "*7-Zip*" }) |
    Select-Object DisplayName, DisplayVersion
} | Export-Csv -NoTypeInformation -Path 7zip_audit.csv

Detection without IOCs – watch behavior

Because no vendor-published IOCs exist, behavior-based detection is the practical path: 7zFM.exe / 7z.exe crashes in close temporal proximity to opening archive-like files are suspicious.

Helpful SIEM rules combine Sysmon Event ID 1 (process create) for 7-Zip processes with Event ID 5 (process terminated) for short-lived processes whose input file originated externally.

Blackfort supports you in building the right correlations via Security Logging & Monitoring.

Assessment: Lessons for Vulnerability Management

CVE-2026-48095 is exemplary of the current threat landscape around standard tools for three reasons: first, the enormous distribution of the affected software; second, the low barrier to entry (a double-click suffices); and third, the available proof-of-concept, which dramatically shortens the time to mass exploitation. Per the GHSL timeline, the flaw was reported on April 24, 2026, and remediated in 7-Zip 26.01 only three days later, on April 27. The vendor response was therefore exemplary in speed, but the subsequent disclosure on May 22 means defenders have been operating in an active window ever since.

Patch lag as the main risk

Field experience from penetration tests and vulnerability assessments shows: patch lag for endpoint software is frequently larger than for server OS. Standard tools such as archivers, PDF readers, or browsers are often updated weeks after a patch is available—especially where auto-update is disabled or the tool is used as a portable variant.

For CVE-2026-48095, this delay is particularly critical because a working PoC is already circulating publicly.

For security leaders this means concretely: 7-Zip belongs in every inventory and every patch cycle—not only on primary workstations, but also on build servers, forensic workstations, mail gateways, and backup hosts. The question “Where is 7-Zip 26.00 running in our environment?” should be answerable within a few hours. Anyone unable to answer it today has a structural problem in asset and vulnerability management that CVE-2026-48095 merely makes visible.