Critical 7-Zip NTFS Handler Flaw Enables Code Execution via Crafted Archives
Researchers disclosed CVE-2026-48095, a critical heap buffer overflow in 7-Zip affecting version 26.00 and earlier that can lead to application crashes, denial of service, or arbitrary code execution. The bug, reported by Jaroslav Lobačevski of GitHub Security Lab and tracked in advisory GHSL-2026-140, resides in the NTFS archive handler’s CInStream::GetCuSize() logic, where an under-allocation can shrink a buffer to 1 byte before a later operation writes up to 256 MB of attacker-controlled data into it. The resulting heap corruption can overwrite adjacent objects, including a stream object’s vtable pointer, creating a path to code execution.
The vulnerability can be triggered simply by opening a specially crafted file because 7-Zip uses signature-based fallback detection and may route files disguised as .7z, .zip, or .rar into the vulnerable NTFS parser regardless of extension. Reports say both 32-bit and 64-bit builds are affected, with 64-bit systems that have sufficient memory more likely to reach reliable code execution, while lower-memory systems may instead crash. Public disclosure included technical details and a Python proof-of-concept generator, raising the risk of weaponization; the issue carries a CVSS 3.1 score of 8.8, and users are being urged to update 7-Zip and avoid opening untrusted archives.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
7-Zip fixes CVE-2026-48095 in version 26.01
7-Zip addressed CVE-2026-48095 in release 26.01, remediating the heap buffer overflow in the NTFS archive handler that affected version 26.00 and earlier. The fix followed public disclosure of the flaw and its proof-of-concept exploit.
Technical details and PoC for CVE-2026-48095 are publicly disclosed
Researchers publicly disclosed CVE-2026-48095 on 2026-05-26, describing an under-allocation bug in CInStream::GetCuSize() that can shrink a buffer to 1 byte before a large attacker-controlled write. The disclosure included exploitation details involving vtable hijacking and a Python proof-of-concept generator, increasing the risk of weaponization.
GitHub Security Lab reports 7-Zip heap overflow to maintainers
Jaroslav Lobačevski of GitHub Security Lab discovered and responsibly reported a heap buffer overflow in 7-Zip's NTFS archive handler, later tracked as CVE-2026-48095 and GHSL-2026-140. The flaw affects 7-Zip through version 26.00 and can lead to denial of service or arbitrary code execution.
GitHub Security Lab discloses multiple 7-Zip vulnerabilities
An oss-sec post disclosed multiple memory access violations in 7-Zip 26.00 across SquashFS, UEFI capsule, UDF, WIM, UEFI firmware, Ar, and NTFS handlers, plus a path traversal flaw in the 7zDec SDK sample extractor. The post states the issues were coordinated through private reporting in April 2026 and fixed in 7-Zip 26.01, released on 2026-04-27.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
7 references tracked. Mallory keeps watching after this page renders.
Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution - hundreds of millions of machines potentially at risk | Tom's Hardware
tomshardware.com
Open sourceCVE-2026-48095: 7-Zip Heap Overflow Flaw
socprime.com
Open sourceCVE-2026-48095: 7-Zip Heap Buffer Overflow Vulnerability | The CyberSec Guru
thecybersecguru.com
Open sourceNew 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems - Cyber Security News
cybersecuritynews.com
Open source7-Zip Heap Buffer Overflow: CVE-2026-48095 Details
securityonline.info
Open sourceoss-sec: Various memory access violations in 7-Zip
seclists.org
Open sourceGitHub - dhmosfunk/7-Zip-CVE-2025-0411-POC: This repository contains POC scenarios as part of CVE-2025-0411 MotW bypass. · GitHub
github.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical 7-Zip Heap Overflow in NTFS Parsing Enables Possible Code Execution
A critical vulnerability in **7-Zip** tracked as `CVE-2026-48095` and `GHSL-2026-140` allows attackers to trigger a heap-based buffer overflow when a user opens a specially crafted archive containing an **NTFS volume image**. The flaw affects **7-Zip 26.00 and earlier** and stems from incorrect buffer size calculations and insufficient boundary checks in the NTFS handler, where a computed buffer can shrink to **1 byte** while later logic writes up to **256 MB** of attacker-controlled data into it. Researchers said the bug can cause memory corruption, crashes, denial of service, and potentially **arbitrary code execution**, including through possible vtable pointer overwrite under favorable conditions. The vulnerable NTFS handler is enabled by default in stock `7z.dll`, and exploitation does not depend on a specific file extension because 7-Zip uses signature-based fallback matching for NTFS images. The issue was privately reported to the developers in April and fixed in **7-Zip 26.01**, with vendor and researcher advisories later published alongside a Python proof-of-concept. With 7-Zip widely deployed on Windows and Linux systems and embedded in automated workflows and other software, defenders have little mitigation beyond upgrading to the patched release because no workaround has been identified.
Jun 29, 2026
Remote Code Execution Vulnerabilities in 7-Zip via Malicious ZIP Archives
Two high-severity vulnerabilities in the widely used open-source compression utility 7-Zip have been disclosed, allowing attackers to achieve remote code execution by leveraging specially crafted ZIP archives. The flaws, identified as CVE-2025-11001 and CVE-2025-11002, were reported by Trend Micro’s Zero Day Initiative and affect multiple builds of 7-Zip. These vulnerabilities arise from improper parsing of symbolic links within ZIP files, enabling a malicious archive to escape its intended extraction directory and write files to arbitrary locations on the victim’s system. If exploited, this directory traversal can be chained to execute arbitrary code with the privileges of the user running 7-Zip, potentially compromising the entire Windows environment. Both vulnerabilities have been assigned a CVSS base score of 7.0, reflecting their significant risk. Exploitation requires minimal user interaction; simply opening or extracting a malicious ZIP file is sufficient to trigger the attack. The vulnerabilities were quietly patched in 7-Zip version 25.00, released on July 5, 2025, but details were not publicly disclosed until October, leaving users unaware and exposed for several months if they had not updated. The lack of an automatic update mechanism in 7-Zip exacerbates the risk, as many users may not be running the latest, patched version. The vulnerabilities specifically allow attackers to overwrite or plant payloads in sensitive system paths, which can be used to hijack execution flow and escalate privileges. Security advisories emphasize the importance of updating to version 25.00 or later to mitigate these risks. The flaws highlight the ongoing challenges in securing widely deployed open-source tools, especially those lacking robust update mechanisms. Organizations relying on 7-Zip for file compression and extraction should prioritize patching and consider additional controls to limit the impact of potential exploitation. The vulnerabilities underscore the need for user awareness regarding the risks of opening files from untrusted sources. Security researchers warn that similar directory traversal and symlink handling issues may exist in other archiving tools, warranting broader scrutiny. The incident demonstrates the value of coordinated vulnerability disclosure and timely patch adoption. Enterprises are advised to audit their environments for outdated 7-Zip installations and deploy the latest version as a matter of urgency. The disclosure also serves as a reminder for software maintainers to implement secure default behaviors and consider automated update features to protect end users.
Jun 30, 2026
Active Exploitation of 7-Zip Symbolic Link Vulnerability (CVE-2025-11001)
Attackers are actively exploiting a critical vulnerability in 7-Zip, identified as CVE-2025-11001, which allows remote code execution through improper handling of symbolic links in ZIP files. The flaw, introduced in 7-Zip version 21.02 and fixed in version 25.00, enables attackers to craft malicious ZIP archives that can traverse directories and execute code in the context of a service account, but only on Windows systems with elevated privileges or Developer Mode enabled. NHS England Digital and multiple security researchers have confirmed active exploitation in the wild, and proof-of-concept exploits have been published, increasing the urgency for organizations to update affected systems. The vulnerability was discovered by Ryota Shiga of GMO Flatt Security using an AI-powered application security auditor and was publicly disclosed via the Zero Day Initiative. Security advisories emphasize that exploitation is limited to specific Windows configurations, but the presence of public PoC code raises the risk of broader attacks. Users and organizations are strongly advised to upgrade to 7-Zip version 25.00 or later to mitigate the threat and prevent potential compromise from malicious ZIP files leveraging this vulnerability.
Jun 29, 2026