Description
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
Published: 2026-06-05
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw is an off‑by‑one out‑of‑bounds read in the UEFI firmware image parser’s ParseDepedencyExpression function. An attacker‑controlled opcode byte that equals 10 bypasses the bounds check and causes the parser to dereference a pointer slot beyond the end of a 10‑entry array. The dereferenced memory is passed through string functions and copied into archive metadata, which can trigger an access violation (a crash) or leak adjacent .rdata string literals. The vulnerability does not provide a write primitive, does not expose hash, chain, or ASLR base addresses, and therefore does not directly compromise secrets.

Affected Systems

Versions 9.21 through 26.00 of the 7‑Zip archiver from the vendor mcmilk contain this issue. The flaw is automatically exercised when an archive with a UEFI SECTION_DXE_DEPEX or SECTION_PEI_DEPEX header (opcode 0x0A) is opened, because the UEFI handler is enabled by default in the stock 7z.dll. The vendor released a fix in 7‑Zip 26.01, which removes the bounds check error.

Risk and Exploitability

With a CVSS score of 4.3 the risk is moderate. The EPSS score is not available and the vulnerability is not listed in the CISA KEV catalog. The attack vector requires an archive processed by the UEFI handler, which is on by default, so a local or remote attacker who can supply a crafted archive to a system running 7‑Zip can cause a graceful crash or a silent leak. Because the outcome is deterministic per build but linker‑layout dependent, an attacker cannot reliably choose the exact payload, but the potential denial of service warrants mitigation.

Generated by OpenCVE AI on June 5, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update 7‑Zip to version 26.01 or later to apply the vendor‑supplied fix.
  • If an immediate upgrade is not possible, disable the UEFI firmware image parser before opening archives that may contain DEPEX sections, thereby preventing the vulnerable path from executing.
  • Monitor systems for unexplained crashes or anomalous metadata in archives processed by 7‑Zip as an early indicator of exploitation attempts.

Generated by OpenCVE AI on June 5, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 08 Jun 2026 17:45:00 +0000

Type Values Removed Values Added
First Time appeared 7-zip
7-zip 7-zip
CPEs cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*
Vendors & Products 7-zip
7-zip 7-zip

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Mcmilk
Mcmilk 7-zip
Vendors & Products Mcmilk
Mcmilk 7-zip

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
Title GHSL-2026-121 7-Zip UEFI DEPEX OOB Read
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

7-zip 7-zip
Mcmilk 7-zip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-08T17:19:57.025Z

Reserved: 2026-05-20T18:46:58.288Z

Link: CVE-2026-48111

cve-icon Vulnrichment

Updated: 2026-06-08T17:19:12.083Z

cve-icon NVD

Status : Modified

Published: 2026-06-05T17:16:48.937

Modified: 2026-06-08T18:16:33.680

Link: CVE-2026-48111

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:16:23Z

Weaknesses