New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems

HomeCyber Security New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems By Guru Baran May 26, 2026 A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00, enabling attackers to achieve arbitrary code execution via a vtable hijack by exploiting a defect in the tool’s NTFS archive handler. Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides in the CInStream::GetCuSize() function inside NtfsHandler.cpp. The function computes the NTFS compression-unit buffer size using a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit). When a crafted NTFS image sets ClusterSizeLog >= 28 — a value explicitly accepted by the parser and a compressed data attribute carries CompressionUnit == 4, the shift exponent reaches 32, triggering undefined behavior (UB) in C++. On x86 hardware, this UB causes _inBuf to be allocated as just 1 byte due to hardware masking of shift counts. The undersized 1-byte buffer is immediately used in a ReadStream_FALSE call that writes up to 256 MB of attacker-controlled data into that single-byte allocation. Since the stream object CInStream is allocated only 304 bytes after _inBuf on the heap, the first 64 KB read iteration overwrites the object’s vtable pointer. The second iteration dispatches through the corrupted vtable a classic vtable hijack with the attacker in full control of the overwritten pointer via crafted NTFS cluster content. Both 32-bit and 64-bit builds are affected. On 64-bit systems with 16 GB or more RAM, the _outBuf.Alloc(8 GB) call succeeds and execution proceeds directly to the overflow. On low-memory systems, allocation failure limits the impact to denial-of-service (DoS). A particularly dangerous aspect of this vulnerability is its extension-agnostic attack surface. The NTFS handler uses signature-based fallback detection, matching on the "NTFS " signature at byte offset 3. This means a crafted NTFS image disguised with any file extension — .7z, .zip, .rar, or even no extension, can trigger the vulnerable handler after the extension-matched handler rejects it. No interaction beyond opening the crafted file is required. The vulnerability carries a CVSS 3.1 score of 8.8 (High) with a vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It is classified under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). All 7-Zip versions through 26.00 are affected, as the flawed GetCuSize() computation has existed since NTFS compressed stream support was first introduced. The vulnerability was discovered and responsibly reported by Jaroslav Lobačevski (@JarLob) of the GitHub Security Lab. Confirmation was achieved using UBSan (UndefinedBehaviorSanitizer) under Clang on Linux x64, which flagged the root-cause shift UB at NtfsHandler.cpp:687 followed by a cascading invalid vtable dereference leading to a SIGSEGV. Users are strongly advised to update 7-Zip to a patched version v26.01 immediately and avoid opening untrusted archive files or disk images of any extension until a fix is applied. Follow us on Google News, LinkedIn, and X to Get More Instant Updates. Tags cyber security cyber security news Copy URL Linkedin Twitter ReddIt Telegram Guru Baranhttps://cybersecuritynews.com Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments. Trending News WantToCry Ransomware Abuses SMB Services to Remotely Encrypt Files Anthropic’s Claude Mythos Preview Uncovers 10,000+ 0-Days in Project Glasswing BadIIS Malware Turns Hijacks IIS Servers and Redirect Users to Illicit Sites CISA Admin Exposes AWS GovCloud Credentials on Public GitHub Repository Mini Shai-Hulud Compromises @antv npm Packages to Steal CI/CD Credentials Latest News Cyber Security News InvisibleFerret Malware Now Ships as .pyd and .so Files to Evade Script Detection Cyber Security News Cloud Atlas APT Group Modifies termsrv.dll to Enable Multiple RDP Sessions on Victim Hosts Cyber Security News Cybercriminals Use Telegram Channels to Sell Verified Bank and Fintech Mule Accounts Cyber Security News Hackers Hide Linux Payload Under SSH-Like Filename During Package Installation Cyber Attack News Russian Hacker Used Jailbroken Gemini to Steal Admin Credentials and Drain Crypto Wallets