Description
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.
Published: 2026-06-05
Score: 4.2 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An uninitialized heap read exists in 7‑Zip’s SquashFS archive handler for versions 9.18 through 26.00. The handler allocates an index array for every metadata block but populates only the slots when an inode crosses a block boundary; many entries thus contain raw allocator contents. When a crafted SquashFS image is opened, _blockToNode is accessed with a block index derived from the root inode superblock, causing the binary search to use uninitialized values as bounds and to dereference a mid‑point without bounds checking. The ultimate effect is a chained out‑of‑bounds read that can expose uninitialised heap memory but provides no write primitive, leading to a wild‑pointer dereference and a denial of service during file opening.

Affected Systems

The vulnerability affects mcmilk's 7‑Zip product, specifically releases from 9.18 up to and including 26.00. The documented SquashFS support is enabled by default in the standard 7z.dll distribution and is activated automatically when a SquashFS archive is opened. A patched release, version 26.01 or later, removes the flaw and reinitialises the index array correctly.

Risk and Exploitability

The CVSS score of 4.2 indicates moderate severity. The EPSS score is not available, and the issue is not listed in the CISA KEV catalog. Exploitation requires only that an attacker deliver a specially crafted SquashFS image and that the victim opens it, typically via phishing or email attachments. The read is heap‑layout dependent and not reliably triggerable, so while the potential for information disclosure exists, the likelihood of successful exploitation is limited and the impact is largely a denial of service from a wild‑pointer dereference.

Generated by OpenCVE AI on June 5, 2026 at 17:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to 7‑Zip 26.01 or later to eliminate the uninitialized heap read
  • Disable or remove SquashFS support in 7z.dll if it can be configured, preventing the vulnerable handler from being invoked
  • Avoid opening or extracting suspicious SquashFS archives until a patch is applied

Generated by OpenCVE AI on June 5, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.
Title GHSL-2026-120: 7-Zip SquashFS BlockToNode uninitialized heap read
Weaknesses CWE-125
CWE-908
References
Metrics cvssV3_1

{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T15:56:34.744Z

Reserved: 2026-05-20T18:40:45.836Z

Link: CVE-2026-48104

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-05T17:16:48.547

Modified: 2026-06-05T17:16:48.547

Link: CVE-2026-48104

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T18:00:15Z

Weaknesses