Description
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
Published: 2026-06-05
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap out‑of‑bounds read in the Unix ar archive handler of 7‑Zip. When parsing a BSD‑style __.SYMDEF symbol table the parser reads four bytes past the end of the allocated buffer, which can expose uninitialized heap contents. This flaw can lead to leakage of sensitive data that resides on the heap at the time the file is processed.

Affected Systems

Vendor 7‑Zip (Mcmilk) versions 9.18 through 26.00 are affected. The issue is fixed in release 26.01 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is local; an adversary would need to supply a specially crafted .ar file and invoke 7‑Zip to trigger the read. While the read does not provide direct code execution, the potential exposure of data makes the flaw significant for systems dealing with untrusted archives.

Generated by OpenCVE AI on June 5, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 7‑Zip to version 26.01 or later.
  • Until the upgrade can be applied, avoid extracting BSD‑style ar archives from untrusted sources.
  • Validate archive files for legitimate type and size before processing them with 7‑Zip.

Generated by OpenCVE AI on June 5, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 08 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
First Time appeared 7-zip
7-zip 7-zip
CPEs cpe:2.3:a:7-zip:7-zip:*:*:*:*:*:*:*:*
Vendors & Products 7-zip
7-zip 7-zip

Sun, 07 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
First Time appeared Mcmilk
Mcmilk 7-zip
Vendors & Products Mcmilk
Mcmilk 7-zip

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
Title GHSL-2026-122 7-Zip Ar SYMDEF OOB Read
Weaknesses CWE-125
CWE-190
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

7-zip 7-zip
Mcmilk 7-zip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:38:43.293Z

Reserved: 2026-05-20T18:46:58.289Z

Link: CVE-2026-48112

cve-icon Vulnrichment

Updated: 2026-06-05T19:38:38.336Z

cve-icon NVD

Status : Analyzed

Published: 2026-06-05T17:16:49.353

Modified: 2026-06-08T18:00:40.557

Link: CVE-2026-48112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-07T11:16:21Z

Weaknesses