A newly disclosed 7-Zip vulnerability, tracked as CVE-2026-14266, allows remote code execution via a heap-based buffer overflow in the handling of crafted XZ chunked data. An attacker can trigger the flaw if a user opens a malicious archive or is lured to content that delivers a specially crafted XZ payload, causing code to run with the privileges of the current user. The issue is considered significant because 7-Zip is widely deployed and the attack path can be readily paired with phishing or malicious attachments.
The bug was reported by Landon Peng of Lunbun LLC through coordinated disclosure, and the Zero Day Initiative published advisory ZDI-26-444 after the fix became available. 7-Zip version 26.02, released on June 25, 2026, contains the patch, and reporting said no public proof-of-concept or in-the-wild exploitation had been confirmed at publication. The flaw was assigned a CVSS 7.0 score, reflecting the need for user interaction and a relatively complex exploit path, and users were urged to update and avoid opening untrusted compressed files.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
3 events from the most recent confirmed update back to the earliest known activity.
The Zero Day Initiative publicly disclosed the 7-Zip vulnerability by publishing advisory ZDI-26-444 for CVE-2026-14266.
7-Zip version 26.02 was released with a fix for CVE-2026-14266, a flaw involving improper handling of crafted XZ chunked data that could lead to code execution.
Landon Peng of Lunbun LLC reported the heap-based buffer overflow vulnerability CVE-2026-14266 in 7-Zip through coordinated disclosure.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
2 references tracked. Mallory keeps watching after this page renders.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.