Vulnerability Details CVE-2026-48095
7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf allocation to succeed, otherwise failing closed to denial of service. The NTFS handler is enabled by default in stock 7z.dll and, via signature-based fallback matching "NTFS " at offset 3, will open a crafted image regardless of file extension during extraction or testing. Version 26.01 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 14.0%
CVSS Severity
CVSS v3 Score 8.8
References
Products affected by CVE-2026-48095
-
cpe:2.3:a:7-zip:7-zip:-
-
cpe:2.3:a:7-zip:7-zip:15.05
-
cpe:2.3:a:7-zip:7-zip:15.06
-
cpe:2.3:a:7-zip:7-zip:15.07
-
cpe:2.3:a:7-zip:7-zip:15.08
-
cpe:2.3:a:7-zip:7-zip:15.09
-
cpe:2.3:a:7-zip:7-zip:15.10
-
cpe:2.3:a:7-zip:7-zip:15.11
-
cpe:2.3:a:7-zip:7-zip:15.12
-
cpe:2.3:a:7-zip:7-zip:15.13
-
cpe:2.3:a:7-zip:7-zip:15.14
-
cpe:2.3:a:7-zip:7-zip:16.00
-
cpe:2.3:a:7-zip:7-zip:16.01
-
cpe:2.3:a:7-zip:7-zip:16.02
-
cpe:2.3:a:7-zip:7-zip:16.03
-
cpe:2.3:a:7-zip:7-zip:16.04
-
cpe:2.3:a:7-zip:7-zip:17.00
-
cpe:2.3:a:7-zip:7-zip:17.01
-
cpe:2.3:a:7-zip:7-zip:18.00
-
cpe:2.3:a:7-zip:7-zip:18.01
-
cpe:2.3:a:7-zip:7-zip:18.03
-
cpe:2.3:a:7-zip:7-zip:18.05
-
cpe:2.3:a:7-zip:7-zip:18.06
-
cpe:2.3:a:7-zip:7-zip:19.00
-
cpe:2.3:a:7-zip:7-zip:19.02
-
cpe:2.3:a:7-zip:7-zip:20.00
-
cpe:2.3:a:7-zip:7-zip:20.02
-
cpe:2.3:a:7-zip:7-zip:21.00
-
cpe:2.3:a:7-zip:7-zip:21.02
-
cpe:2.3:a:7-zip:7-zip:21.03
-
cpe:2.3:a:7-zip:7-zip:21.04
-
cpe:2.3:a:7-zip:7-zip:21.06
-
cpe:2.3:a:7-zip:7-zip:21.07
-
cpe:2.3:a:7-zip:7-zip:22.01
-
cpe:2.3:a:7-zip:7-zip:23.01
-
cpe:2.3:a:7-zip:7-zip:24.05
-
cpe:2.3:a:7-zip:7-zip:24.06
-
cpe:2.3:a:7-zip:7-zip:24.07
-
cpe:2.3:a:7-zip:7-zip:24.08
-
cpe:2.3:a:7-zip:7-zip:24.09
-
cpe:2.3:a:7-zip:7-zip:25.00
-
cpe:2.3:a:7-zip:7-zip:25.01
-
cpe:2.3:a:7-zip:7-zip:3.13
-
cpe:2.3:a:7-zip:7-zip:4.20
-
cpe:2.3:a:7-zip:7-zip:4.23
-
cpe:2.3:a:7-zip:7-zip:4.24
-
cpe:2.3:a:7-zip:7-zip:4.25
-
cpe:2.3:a:7-zip:7-zip:4.26
-
cpe:2.3:a:7-zip:7-zip:4.27
-
cpe:2.3:a:7-zip:7-zip:4.28
-
cpe:2.3:a:7-zip:7-zip:4.29
-
cpe:2.3:a:7-zip:7-zip:4.30
-
cpe:2.3:a:7-zip:7-zip:4.31
-
cpe:2.3:a:7-zip:7-zip:4.32
-
cpe:2.3:a:7-zip:7-zip:4.33
-
cpe:2.3:a:7-zip:7-zip:4.34
-
cpe:2.3:a:7-zip:7-zip:4.35
-
cpe:2.3:a:7-zip:7-zip:4.36
-
cpe:2.3:a:7-zip:7-zip:4.37
-
cpe:2.3:a:7-zip:7-zip:4.38
-
cpe:2.3:a:7-zip:7-zip:4.39
-
cpe:2.3:a:7-zip:7-zip:4.40
-
cpe:2.3:a:7-zip:7-zip:4.41
-
cpe:2.3:a:7-zip:7-zip:4.42
-
cpe:2.3:a:7-zip:7-zip:4.43
-
cpe:2.3:a:7-zip:7-zip:4.44
-
cpe:2.3:a:7-zip:7-zip:4.45
-
cpe:2.3:a:7-zip:7-zip:4.46
-
cpe:2.3:a:7-zip:7-zip:4.47
-
cpe:2.3:a:7-zip:7-zip:4.48
-
cpe:2.3:a:7-zip:7-zip:4.49
-
cpe:2.3:a:7-zip:7-zip:4.50
-
cpe:2.3:a:7-zip:7-zip:4.51
-
cpe:2.3:a:7-zip:7-zip:4.52
-
cpe:2.3:a:7-zip:7-zip:4.53
-
cpe:2.3:a:7-zip:7-zip:4.54
-
cpe:2.3:a:7-zip:7-zip:4.55
-
cpe:2.3:a:7-zip:7-zip:4.56
-
cpe:2.3:a:7-zip:7-zip:4.57
-
cpe:2.3:a:7-zip:7-zip:4.58
-
cpe:2.3:a:7-zip:7-zip:4.59
-
cpe:2.3:a:7-zip:7-zip:4.60
-
cpe:2.3:a:7-zip:7-zip:4.61
-
cpe:2.3:a:7-zip:7-zip:4.62
-
cpe:2.3:a:7-zip:7-zip:4.63
-
cpe:2.3:a:7-zip:7-zip:4.64
-
cpe:2.3:a:7-zip:7-zip:4.65
-
cpe:2.3:a:7-zip:7-zip:9.04
-
cpe:2.3:a:7-zip:7-zip:9.06
-
cpe:2.3:a:7-zip:7-zip:9.07
-
cpe:2.3:a:7-zip:7-zip:9.09
-
cpe:2.3:a:7-zip:7-zip:9.10
-
cpe:2.3:a:7-zip:7-zip:9.11
-
cpe:2.3:a:7-zip:7-zip:9.12
-
cpe:2.3:a:7-zip:7-zip:9.13
-
cpe:2.3:a:7-zip:7-zip:9.14
-
cpe:2.3:a:7-zip:7-zip:9.15
-
cpe:2.3:a:7-zip:7-zip:9.16
-
cpe:2.3:a:7-zip:7-zip:9.17
-
cpe:2.3:a:7-zip:7-zip:9.18
-
cpe:2.3:a:7-zip:7-zip:9.19
-
cpe:2.3:a:7-zip:7-zip:9.20
-
cpe:2.3:a:7-zip:7-zip:9.21
-
cpe:2.3:a:7-zip:7-zip:9.22
-
cpe:2.3:a:7-zip:7-zip:9.34
-
cpe:2.3:a:7-zip:7-zip:9.35
-
cpe:2.3:a:7-zip:7-zip:9.36
-
cpe:2.3:a:7-zip:7-zip:9.38