Critical 7-Zip Heap Overflow in NTFS Parsing Enables Possible Code Execution
A critical vulnerability in 7-Zip tracked as CVE-2026-48095 and GHSL-2026-140 allows attackers to trigger a heap-based buffer overflow when a user opens a specially crafted archive containing an NTFS volume image. The flaw affects 7-Zip 26.00 and earlier and stems from incorrect buffer size calculations and insufficient boundary checks in the NTFS handler, where a computed buffer can shrink to 1 byte while later logic writes up to 256 MB of attacker-controlled data into it. Researchers said the bug can cause memory corruption, crashes, denial of service, and potentially arbitrary code execution, including through possible vtable pointer overwrite under favorable conditions.
The vulnerable NTFS handler is enabled by default in stock 7z.dll, and exploitation does not depend on a specific file extension because 7-Zip uses signature-based fallback matching for NTFS images. The issue was privately reported to the developers in April and fixed in 7-Zip 26.01, with vendor and researcher advisories later published alongside a Python proof-of-concept. With 7-Zip widely deployed on Windows and Linux systems and embedded in automated workflows and other software, defenders have little mitigation beyond upgrading to the patched release because no workaround has been identified.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Advisory and Python proof-of-concept published
Researchers and the vendor later published an advisory for CVE-2026-48095 and released a Python proof-of-concept demonstrating exploitation against vulnerable 7-Zip versions. The disclosure highlighted that no workaround exists other than upgrading to a patched release.
7-Zip 26.01 released with fix for CVE-2026-48095
7-Zip version 26.01 fixed the NTFS handler heap buffer overflow affecting version 26.00 and earlier. The issue could allow crashes, denial of service, or potentially arbitrary code execution via a crafted NTFS image.
Vulnerability privately reported to 7-Zip developers
The heap-based buffer overflow vulnerability later tracked as CVE-2026-48095 / GHSL-2026-140 was privately reported to the 7-Zip developers in April. The flaw affects outdated 7-Zip versions when parsing a specially crafted NTFS volume image.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Critical 7-Zip Vulnerability Exposes Millions of Systems to Potential Malware Attacks - CySecurity News - Latest Information Security and Hacking Incidents
cysecurity.news
Open sourceCVE-2026-48095 - GHSL-2026-140_7-Zip: 7-Zip has a heap buffer overflow via NTFS compressed stream buffer under-allocation
cvefeed.io
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Critical 7-Zip NTFS Handler Flaw Enables Code Execution via Crafted Archives
Researchers disclosed **CVE-2026-48095**, a critical heap buffer overflow in 7-Zip affecting version `26.00` and earlier that can lead to application crashes, denial of service, or arbitrary code execution. The bug, reported by Jaroslav Lobačevski of GitHub Security Lab and tracked in advisory `GHSL-2026-140`, resides in the NTFS archive handler’s `CInStream::GetCuSize()` logic, where an under-allocation can shrink a buffer to 1 byte before a later operation writes up to 256 MB of attacker-controlled data into it. The resulting heap corruption can overwrite adjacent objects, including a stream object’s **vtable** pointer, creating a path to code execution. The vulnerability can be triggered simply by opening a specially crafted file because 7-Zip uses signature-based fallback detection and may route files disguised as `.7z`, `.zip`, or `.rar` into the vulnerable NTFS parser regardless of extension. Reports say both 32-bit and 64-bit builds are affected, with 64-bit systems that have sufficient memory more likely to reach reliable code execution, while lower-memory systems may instead crash. Public disclosure included technical details and a Python proof-of-concept generator, raising the risk of weaponization; the issue carries a **CVSS 3.1 score of 8.8**, and users are being urged to update 7-Zip and avoid opening untrusted archives.
Jun 29, 2026
Remote Code Execution Vulnerabilities in 7-Zip via Malicious ZIP Archives
Two high-severity vulnerabilities in the widely used open-source compression utility 7-Zip have been disclosed, allowing attackers to achieve remote code execution by leveraging specially crafted ZIP archives. The flaws, identified as CVE-2025-11001 and CVE-2025-11002, were reported by Trend Micro’s Zero Day Initiative and affect multiple builds of 7-Zip. These vulnerabilities arise from improper parsing of symbolic links within ZIP files, enabling a malicious archive to escape its intended extraction directory and write files to arbitrary locations on the victim’s system. If exploited, this directory traversal can be chained to execute arbitrary code with the privileges of the user running 7-Zip, potentially compromising the entire Windows environment. Both vulnerabilities have been assigned a CVSS base score of 7.0, reflecting their significant risk. Exploitation requires minimal user interaction; simply opening or extracting a malicious ZIP file is sufficient to trigger the attack. The vulnerabilities were quietly patched in 7-Zip version 25.00, released on July 5, 2025, but details were not publicly disclosed until October, leaving users unaware and exposed for several months if they had not updated. The lack of an automatic update mechanism in 7-Zip exacerbates the risk, as many users may not be running the latest, patched version. The vulnerabilities specifically allow attackers to overwrite or plant payloads in sensitive system paths, which can be used to hijack execution flow and escalate privileges. Security advisories emphasize the importance of updating to version 25.00 or later to mitigate these risks. The flaws highlight the ongoing challenges in securing widely deployed open-source tools, especially those lacking robust update mechanisms. Organizations relying on 7-Zip for file compression and extraction should prioritize patching and consider additional controls to limit the impact of potential exploitation. The vulnerabilities underscore the need for user awareness regarding the risks of opening files from untrusted sources. Security researchers warn that similar directory traversal and symlink handling issues may exist in other archiving tools, warranting broader scrutiny. The incident demonstrates the value of coordinated vulnerability disclosure and timely patch adoption. Enterprises are advised to audit their environments for outdated 7-Zip installations and deploy the latest version as a matter of urgency. The disclosure also serves as a reminder for software maintainers to implement secure default behaviors and consider automated update features to protect end users.
Jun 30, 2026
Active Exploitation of 7-Zip Symbolic Link Vulnerability (CVE-2025-11001)
Attackers are actively exploiting a critical vulnerability in 7-Zip, identified as CVE-2025-11001, which allows remote code execution through improper handling of symbolic links in ZIP files. The flaw, introduced in 7-Zip version 21.02 and fixed in version 25.00, enables attackers to craft malicious ZIP archives that can traverse directories and execute code in the context of a service account, but only on Windows systems with elevated privileges or Developer Mode enabled. NHS England Digital and multiple security researchers have confirmed active exploitation in the wild, and proof-of-concept exploits have been published, increasing the urgency for organizations to update affected systems. The vulnerability was discovered by Ryota Shiga of GMO Flatt Security using an AI-powered application security auditor and was publicly disclosed via the Zero Day Initiative. Security advisories emphasize that exploitation is limited to specific Windows configurations, but the presence of public PoC code raises the risk of broader attacks. Users and organizations are strongly advised to upgrade to 7-Zip version 25.00 or later to mitigate the threat and prevent potential compromise from malicious ZIP files leveraging this vulnerability.
Jun 29, 2026