Description
7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + impLen and advancing processed to 38 + impLen + idLen, the alignment-padding loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary, and the processed <= size bounds check only runs after the loop. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size). The UDF handler is registered for .iso and .udf files and auto-detected by signature, and the OOB read triggers during Open() when listing or extracting a crafted UDF image. Impact is limited to information disclosure (a 1-bit oracle per OOB byte via open/fail behavior) and denial of service (crash under hardened allocators); there is no write primitive. Version 26.01 fixes the issue.
Published: 2026-06-05
Score: 3.1 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

7‑Zip versions 9.11 through 26.00 contain a heap out‑of‑bounds read that can reveal one or more bits of memory during the parsing of a UDF disc image. The flaw does not allow write or code execution; its impact is limited to a small information leak and the possibility of a crash when hardened allocators are used. The attack results in a 1‑bit oracle per over‑read byte and can be triggered when a malicious .iso or .udf file is opened or listed.

Affected Systems

The vulnerability affects the 7‑Zip file archiver from the mcmilk vendor. It is present in all releases between 9.11 and 26.00 inclusive. Version 26.01 applies a fix that removes the out‑of‑bounds read by correcting the loop bounds and the post‑read check. Users running any intermediate versions must be aware that UDF file handling is the triggered code path.

Risk and Exploitability

The CVSS score of 3.1 indicates a low overall risk, and the EPSS score is not provided, which does not point to a high exploitation probability. The flaw is not listed in the CISA KEV catalog, suggesting no known widespread exploitation. However, the vulnerability can be invoked by loading a crafted UDF image, which is auto‑detected by 7‑Zip, meaning that local users or any privileged process that unpacks or lists such files could be affected. The lack of a write primitive keeps the attack surface relatively narrow, but the potential for denial of service could impact availability in environments that heavily rely on automated archive extraction.

Generated by OpenCVE AI on June 5, 2026 at 16:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 7‑Zip to version 26.01 or later to eliminate the out‑of‑bounds read.
  • Restrict the processing of .iso and .udf files from untrusted sources and only allow verified archives to be handed to 7‑Zip.
  • If an update cannot be applied immediately, run 7‑Zip in an isolated environment or from a sandboxed process to contain any potential denial‑of‑service impact and prevent access to sensitive memory data.

Generated by OpenCVE AI on June 5, 2026 at 16:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + impLen and advancing processed to 38 + impLen + idLen, the alignment-padding loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary, and the processed <= size bounds check only runs after the loop. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size). The UDF handler is registered for .iso and .udf files and auto-detected by signature, and the OOB read triggers during Open() when listing or extracting a crafted UDF image. Impact is limited to information disclosure (a 1-bit oracle per OOB byte via open/fail behavior) and denial of service (crash under hardened allocators); there is no write primitive. Version 26.01 fixes the issue.
Title GHSL-2026-118: 7-Zip UDF Field OOB Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 3.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T15:19:04.737Z

Reserved: 2026-05-20T18:40:45.835Z

Link: CVE-2026-48102

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T16:16:41.593

Modified: 2026-06-05T17:04:07.863

Link: CVE-2026-48102

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T16:30:06Z

Weaknesses