Description
7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.
Published: 2026-06-05
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

7-Zip contains a heap buffer overflow in the NTFS compressed stream handler due to an under‑allocation when computing the compression‑unit buffer size. The vulnerability allows an attacker to craft an archive that causes a 1‑byte buffer to be overwritten with up to 256 MB of attacker‑controlled data, culminating in a vtable hijack and arbitrary code execution. If the overflow is not reached, the error triggers a denial of service through a crash. The flaw is rooted in improper arithmetic and lack of bounds checking (CWE‑190, CWE‑787).

Affected Systems

The issue affects 7‑Zip versions 26.00 and earlier, including the default stock 7z.dll. Any installation of those releases may process NTFS compressed streams during extraction or file testing. Version 26.01 and later contain the remediation.

Risk and Exploitability

The CVSS score of 8.8 indicates a high impact and mitigation needed. EPSS is not available, so the probability of immediate exploitation is uncertain, but because the flaw is triggered by user‑supplied archived files, the attack surface is broad. The vulnerability is not listed in CISA’s KEV catalog. The likely attack vector is an adversary sending a malicious archive that the target system opens or verifies, which can be triggered during extraction or during a file‑test operation. Once the malicious data has been processed, the attacker can gain code execution on the system running 7‑Zip.

Generated by OpenCVE AI on June 5, 2026 at 15:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to 7‑Zip version 26.01 or newer, which corrects the unsigned arithmetic and buffer allocation.
  • If an upgrade cannot occur immediately, disable NTFS stream processing in the 7z.dll configuration or block files containing the NTFS signature during extraction.
  • As a temporary containment, limit the use of 7‑Zip to trusted archives and avoid testing unknown files with the program until a patch is applied.

Generated by OpenCVE AI on June 5, 2026 at 15:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 14:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.
Title GHSL-2026-140_7-Zip: 7-Zip has a heap buffer overflow via NTFS compressed stream buffer under-allocation
Weaknesses CWE-190
CWE-787
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T13:57:43.772Z

Reserved: 2026-05-20T18:40:45.834Z

Link: CVE-2026-48095

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T15:16:53.520

Modified: 2026-06-05T15:16:53.520

Link: CVE-2026-48095

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T15:30:13Z

Weaknesses