Unrated

Heap Buffer Overflow RCE in 7-Zip NTFS Archive Handler

IdentifiersCVE-2026-48095CWE-787

CVE-2026-48095 is a heap buffer write overflow in 7-Zip’s NTFS archive handler, disclosed as GHSL-2026-140. The flaw is in CInStream::GetCuSize() in NtfsHandler.cpp, where the NTFS compression-unit buffer size is computed using a left-shift expression on a 32-bit value. A crafted NTFS image can cause the shift exponent to reach 32, triggering undefined behavior and resulting in severe under-allocation of the _inBuf buffer, reportedly down to 1 byte on affected platforms. Subsequent processing then writes attacker-controlled compressed-stream data into this undersized heap buffer, causing a large heap overwrite. Public technical analysis indicates the overflow can corrupt adjacent heap objects, including the CInStream object and its vtable pointer, enabling a vtable hijack and potential arbitrary code execution. The vulnerable parser can be reached through 7-Zip’s signature-based handler fallback, so a malicious NTFS image may be disguised with extensions such as .7z, .zip, .rar, or other non-NTFS names and still be parsed by the NTFS handler. The issue affects 7-Zip through version 26.00 and is fixed in 26.01.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation can cause heap corruption leading to application crash, denial of service, or arbitrary code execution in the context of the user running 7-Zip. Public reporting specifically describes corruption of a nearby vtable pointer and a subsequent virtual call redirection path. On systems where the required allocations succeed, especially 64-bit systems with sufficient memory, exploitation may be more reliable for code execution; on lower-memory systems, the more likely outcome may be process termination or denial of service.

Mitigation

If you can’t patch tonight, do this now.

Until patching is complete, avoid opening, testing, or extracting untrusted archives and disk-image-like files with vulnerable 7-Zip versions. Do not rely on file extension filtering alone, because the vulnerable NTFS handler can be reached via signature-based fallback parsing even when the file is disguised as .7z, .zip, .rar, or another extension. Reduce exposure on endpoints used for handling inbound files, and identify systems running 7-Zip 26.00 or earlier for urgent remediation.

Remediation

Patch, then assume compromise.

Upgrade 7-Zip to version 26.01 or later, which contains the vendor fix for CVE-2026-48095. Validate that all deployed copies are updated, including bundled or embedded instances such as redistributed 7z.dll or packaged 7-Zip components in third-party software. Prioritize systems that routinely open externally sourced archives or disk images.

PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

ACTIVITY FEED

Recent activity

38 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

38 SOURCESView more in app

socprime blogNews

May 26, 2026

CVE-2026-48095: 7-Zip Heap Overflow Flaw

A heap buffer write overflow in 7-Zip’s NTFS archive handler that affects 7-Zip 26.00 and can lead to arbitrary code execution, crashes, or denial of service when a user opens a crafted archive file.

thecybersecguruNews

May 26, 2026

CVE-2026-48095: 7-Zip Heap Buffer Overflow Vulnerability | The CyberSec Guru

A critical heap buffer overflow in 7-Zip’s NTFS handler that can lead to remote code execution when a crafted file is opened, including files disguised with benign extensions.

cyber security newsNews

May 26, 2026

New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems - Cyber Security News

A critical heap buffer overflow in 7-Zip’s NTFS archive handler that can lead to arbitrary code execution via vtable hijacking when a crafted NTFS image triggers undefined behavior in compression-unit size calculation.

security online infoNews

May 26, 2026

7-Zip Heap Buffer Overflow: CVE-2026-48095 Details

A critical heap buffer overflow vulnerability in 7-Zip's NTFS archive handler affecting version 26.00 that can lead to application crashes or arbitrary code execution.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity34

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-48095

NVD

nvd.nist.gov/vuln/detail/CVE-2026-48095

MITRE CWE · CWE-787

cwe.mitre.org