CVE-2026-48092 - Vulnerability Details

- 7-Zip SquashFS Fragment Offset Overflow (GHSL-2026-116)

Description

7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.

Published: 2026-06-05

Score: 4.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A 32‑bit integer overflow in the SquashFS ReadBlock function of 7‑Zip allows an attacker‑controlled node.Offset value to bypass bound checks, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability can expose sensitive data by leaking heap contents, compromising confidentiality. The CVSS score of 4.3 indicates a low severity level for this information‑disclosure flaw.

Affected Systems

The flaw affects 7‑Zip versions 9.34 through 26.00 on 32‑bit builds where size_t is 32 bits, including the standard 32‑bit executable. 64‑bit builds are immune because the addition is promoted to 64 bits and the check correctly rejects the input. 26.01 and later versions contain a patch that removes the overflow.

Risk and Exploitability

The vulnerability is exploitable only locally: an attacker must supply a crafted SquashFS archive to a system running a 32‑bit 7‑Zip build. Because EPSS is not available and the issue is not listed in CISA KEV, the likelihood of widespread exploitation is low, but privileged users who process untrusted archives could gain access to arbitrary memory contents. The impact remains limited to information disclosure rather than code execution or denial of service.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

mcmilk

7-Zip

affected

Version	Status	Constraints
`>= 9.34, < 26.01`	affected	—

Configuration 1 [-]

cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Mcmilk

7-zip

100%

Version	Status	Scheme	Platform
`[9.34,26.01)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to 7‑Zip version 26.01 or later to remove the overflow
Replace or disable the 32‑bit 7‑Zip executable with a 64‑bit build if possible
Avoid extracting archives from untrusted sources with the 32‑bit 7‑Zip

Generated by OpenCVE AI on June 5, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00324.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/

History

Mon, 08 Jun 2026 17:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 08 Jun 2026 13:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		7-zip 7-zip 7-zip
CPEs		cpe:2.3:a:7-zip:7-zip::::::::
Vendors & Products		7-zip 7-zip 7-zip

Sun, 07 Jun 2026 11:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Mcmilk Mcmilk 7-zip
Vendors & Products		Mcmilk Mcmilk 7-zip

Fri, 05 Jun 2026 14:45:00 +0000

Type	Values Removed	Values Added
Description		7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.
Title		7-Zip SquashFS Fragment Offset Overflow (GHSL-2026-116)
Weaknesses		CWE-125
References		https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
Metrics		cvssV3_1 `{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`

Subscriptions

7-zip 7-zip

Mcmilk 7-zip

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-05T13:51:55.097Z

Updated: 2026-06-08T17:08:54.213Z

Reserved: 2026-05-20T18:40:45.834Z

Link: CVE-2026-48092

Vulnrichment

Updated: 2026-06-08T17:07:56.406Z

NVD

Status : Modified

Published: 2026-06-05T15:16:53.380

Modified: 2026-06-08T18:16:33.553

Link: CVE-2026-48092

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-07T11:16:45Z

Weaknesses

CWE-125
Out-of-bounds Read

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object