Description
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.
Published: 2026-06-05
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

7‑Zip contains an uninitialized memory disclosure in its UEFI capsule (.scap) parser. The OpenCapsule function allocates a heap buffer whose size is declared by the attacker but does not zero‑initialize it. Data from the file is loaded with ReadStream_FALSE, and the function disregards the return value; if the file is truncated, unread bytes remain uninitialized. Those bytes later become part of the extracted file content returned via GetStream, letting an attacker read memory that was never overwritten.

Affected Systems

Versions 9.21 through 26.00 of 7‑Zip, released by mcmilk, are affected. The issue is fixed in version 26.0.1 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS information is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit this by supplying a crafted .scap file to an affected 7‑Zip installation, causing it to expose uninitialized memory. Since 7‑Zip is a local application, the attack vector is primarily local or requires a user to open a malicious file. No network‑based exploitation is reported in the available data.

Generated by OpenCVE AI on June 5, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the 26.0.1 or later update of 7‑Zip immediately.
  • If an update is not possible, block or delete .scap files from untrusted sources and avoid processing them with 7‑Zip.
  • Review any scripts or automated processes that invoke 7‑Zip to ensure they do not automatically extract .scap files; consider switching to an alternative archiver.

Generated by OpenCVE AI on June 5, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.
Title GHSL-2026-117: 7-Zip UEFI Capsule uninitialized heap memory disclosure
Weaknesses CWE-908
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:38:15.207Z

Reserved: 2026-05-20T18:40:45.835Z

Link: CVE-2026-48101

cve-icon Vulnrichment

Updated: 2026-06-05T19:38:11.295Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T16:16:41.423

Modified: 2026-06-05T17:04:07.863

Link: CVE-2026-48101

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses