Description
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.
Published: 2026-06-05
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an off‑by‑one heap out‑of‑bounds read inside the WIM (Windows Imaging) archive handler used by 7‑Zip. The attacker can supply a crafted WIM file that contains a manipulated securityId field in the metadata. When the handler processes the file it reads one UInt32 past the end of the heap‑allocated vector. Because the value is only used as a length, the bug does not allow arbitrary code execution but can trigger a crash or a small amount of leaked data, which in hardened environments typically results in a denial of service.

Affected Systems

Affected versions are 7‑Zip 9.34 through 26.00, which are delivered on Windows as a DLL and usable from the GUI (7zFM.exe) and the command‑line tools. The vulnerability exists for the file extensions .wim, .swm, .esd and .ppkg. The bug is registered in the default 7z.dll handler, so any installation of these versions that processes such file types is susceptible. The CVSS score for the weakness is 4.3 and the exploit probability is reported as unavailable, and the issue is not listed in the CISA KEV catalogue.

Risk and Exploitability

The risk comes from any local user who opens a maliciously crafted WIM family file with the vulnerable version. The bug can be triggered with a zero‑click GUI list view or by invoking the command‑line listing option. Although the CVSS score is moderate, the ease of exploitation means that anyone who can deliver such a file to a user’s machine can cause a service interruption. No write primitive is available, so the attack surface is limited to denial of service or minor data disclosure. Because the issue is not on KEV, vendors and users may not perceive an immediate urgency, but the potential for widespread interruption warrants corrective action.

Generated by OpenCVE AI on June 5, 2026 at 17:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Download and install the latest released 7‑Zip version (27.00 or later), which contains a fixed WIM handler.
  • If an upgrade is not possible, avoid opening or listing any .wim, .swm, .esd or .ppkg files with 7‑Zip until a patch is applied, and consider restricting 7zFM.exe usage to trusted environments.
  • Use an alternative archiver that does not include the vulnerable WIM handler to process Windows Imaging files until the official fix is available.

Generated by OpenCVE AI on June 5, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.
Title GHSL-2026-119 7-Zip WIM SecurityId OOB read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T15:48:49.891Z

Reserved: 2026-05-20T18:40:45.835Z

Link: CVE-2026-48103

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T17:16:48.133

Modified: 2026-06-05T17:16:48.133

Link: CVE-2026-48103

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T17:30:45Z

Weaknesses