A important heap buffer overflow vulnerability has been disclosed in 7-Zip model 26.00, enabling attackers to attain arbitrary code execution through a vtable hijack by exploiting a defect within the device’s NTFS archive handler.
Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides within the CInStream::GetCuSize() operate inside NtfsHandler.cpp. The operate computes the NTFS compression-unit buffer dimension utilizing a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit).
When a crafted NTFS picture units ClusterSizeLog >= 28 — a worth explicitly accepted by the parser and a compressed knowledge attribute carries CompressionUnit == 4, the shift exponent reaches 32, triggering undefined conduct (UB) in C++. On x86 {hardware}, this UB causes _inBuf to be allotted as simply 1 byte as a result of {hardware} masking of shift counts.
The undersized 1-byte buffer is instantly utilized in a ReadStream_FALSE name that writes as much as 256 MB of attacker-controlled knowledge into that single-byte allocation.
Because the stream object CInStream is allotted solely 304 bytes after _inBuf on the heap, the primary 64 KB learn iteration overwrites the thing’s vtable pointer.
The second iteration dispatches via the corrupted vtable a basic vtable hijack with the attacker in full management of the overwritten pointer through crafted NTFS cluster content material.
Each 32-bit and 64-bit builds are affected. On 64-bit techniques with 16 GB or extra RAM, the _outBuf.Alloc(8 GB) name succeeds and execution proceeds on to the overflow. On low-memory techniques, allocation failure limits the influence to denial-of-service (DoS).
A very harmful side of this vulnerability is its extension-agnostic assault floor. The NTFS handler makes use of signature-based fallback detection, matching on the "NTFS " signature at byte offset 3.
This implies a crafted NTFS picture disguised with any file extension — .7z, .zip, .rar, and even no extension, can set off the susceptible handler after the extension-matched handler rejects it. No interplay past opening the crafted file is required.
The vulnerability carries a CVSS 3.1 rating of 8.8 (Excessive) with a vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It’s categorized beneath CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). All 7-Zip variations via 26.00 are affected, because the flawed GetCuSize() computation has existed since NTFS compressed stream help was first launched.
The vulnerability was discovered and responsibly reported by Jaroslav Lobačevski (@JarLob) of the GitHub Safety Lab. Affirmation was achieved utilizing UBSan (UndefinedBehaviorSanitizer) beneath Clang on Linux x64, which flagged the root-cause shift UB at NtfsHandler.cpp:687 adopted by a cascading invalid vtable dereference resulting in a SIGSEGV.
Customers are strongly suggested to replace 7-Zip to a patched model v26.01 instantly and keep away from opening untrusted archive information or disk pictures of any extension till a repair is utilized.
Observe us on Google News, LinkedIn, and X to Get Extra Instantaneous Updates.