Description
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
Published: 2026-06-05
Score: 6.5 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a heap out‑of‑bounds read in the Unix ar archive handler of 7‑Zip. When parsing a BSD‑style __.SYMDEF symbol table the parser reads four bytes past the end of the allocated buffer, which can expose uninitialized heap contents. This flaw can lead to leakage of sensitive data that resides on the heap at the time the file is processed.

Affected Systems

Vendor 7‑Zip (Mcmilk) versions 9.18 through 26.00 are affected. The issue is fixed in release 26.01 and later.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity. EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. The likely attack vector is local; an adversary would need to supply a specially crafted .ar file and invoke 7‑Zip to trigger the read. While the read does not provide direct code execution, the potential exposure of data makes the flaw significant for systems dealing with untrusted archives.

Generated by OpenCVE AI on June 5, 2026 at 17:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade 7‑Zip to version 26.01 or later.
  • Until the upgrade can be applied, avoid extracting BSD‑style ar archives from untrusted sources.
  • Validate archive files for legitimate type and size before processing them with 7‑Zip.

Generated by OpenCVE AI on June 5, 2026 at 17:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 05 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 05 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
Title GHSL-2026-122 7-Zip Ar SYMDEF OOB Read
Weaknesses CWE-125
CWE-190
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-05T19:38:43.293Z

Reserved: 2026-05-20T18:46:58.289Z

Link: CVE-2026-48112

cve-icon Vulnrichment

Updated: 2026-06-05T19:38:38.336Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-06-05T17:16:49.353

Modified: 2026-06-05T19:03:48.933

Link: CVE-2026-48112

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-05T17:30:45Z

Weaknesses