Description
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
Published: 2026-06-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an off‑by‑one out‑of‑bounds read in the UEFI firmware image parser’s ParseDepedencyExpression function. An attacker‑controlled opcode byte that equals 10 bypasses the bounds check and causes the parser to dereference a pointer slot beyond the end of a 10‑entry array. The dereferenced memory is passed through string functions and copied into archive metadata, which can trigger an access violation (a crash) or leak adjacent .rdata string literals. The vulnerability does not provide a write primitive, does not expose hash, chain, or ASLR base addresses, and therefore does not directly compromise secrets.

Affected Systems

Versions 9.21 through 26.00 of the 7‑Zip archiver from the vendor mcmilk contain this issue. The flaw is automatically exercised when an archive with a UEFI SECTION_DXE_DEPEX or SECTION_PEI_DEPEX header (opcode 0x0A) is opened, because the UEFI handler is enabled by default in the stock 7z.dll. The vendor released a fix in 7‑Zip 26.01, which removes the bounds check error.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an archive processed by the UEFI handler, which is on by default, so a local or remote attacker who can supply a crafted archive to a system running 7‑Zip can cause a graceful crash or a silent leak. Because the outcome is deterministic per build but linker‑layout dependent, an attacker cannot reliably choose the exact payload, but the potential denial of service warrants mitigation.

Generated by OpenCVE AI on June 5, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update 7‑Zip to version 26.01 or later to apply the vendor‑supplied fix.
  • If an immediate upgrade is not possible, disable the UEFI firmware image parser before opening archives that may contain DEPEX sections, thereby preventing the vulnerable path from executing.
  • Monitor systems for unexplained crashes or anomalous metadata in archives processed by 7‑Zip as an early indicator of exploitation attempts.

Generated by OpenCVE AI on June 5, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
Title GHSL-2026-121 7-Zip UEFI DEPEX OOB Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T16:09:31.039Z

Reserved: 2026-05-20T18:46:58.288Z

Link: CVE-2026-48111

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T17:16:48.937

Modified: 2026-06-05T19:03:48.933

Link: CVE-2026-48111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T17:30:45Z

Weaknesses