Shodan
Vulnerabilities
Vulnerable Software

Vulnerability Details CVE-2026-48104

7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 10.4%
CVSS Severity
CVSS v3 Score 4.2
Products affected by CVE-2026-48104
  • 7-Zip » 7-Zip » Version: 15.05
    cpe:2.3:a:7-zip:7-zip:15.05
  • 7-Zip » 7-Zip » Version: 15.06
    cpe:2.3:a:7-zip:7-zip:15.06
  • 7-Zip » 7-Zip » Version: 15.07
    cpe:2.3:a:7-zip:7-zip:15.07
  • 7-Zip » 7-Zip » Version: 15.08
    cpe:2.3:a:7-zip:7-zip:15.08
  • 7-Zip » 7-Zip » Version: 15.09
    cpe:2.3:a:7-zip:7-zip:15.09
  • 7-Zip » 7-Zip » Version: 15.10
    cpe:2.3:a:7-zip:7-zip:15.10
  • 7-Zip » 7-Zip » Version: 15.11
    cpe:2.3:a:7-zip:7-zip:15.11
  • 7-Zip » 7-Zip » Version: 15.12
    cpe:2.3:a:7-zip:7-zip:15.12
  • 7-Zip » 7-Zip » Version: 15.13
    cpe:2.3:a:7-zip:7-zip:15.13
  • 7-Zip » 7-Zip » Version: 15.14
    cpe:2.3:a:7-zip:7-zip:15.14
  • 7-Zip » 7-Zip » Version: 16.00
    cpe:2.3:a:7-zip:7-zip:16.00
  • 7-Zip » 7-Zip » Version: 16.01
    cpe:2.3:a:7-zip:7-zip:16.01
  • 7-Zip » 7-Zip » Version: 16.02
    cpe:2.3:a:7-zip:7-zip:16.02
  • 7-Zip » 7-Zip » Version: 16.03
    cpe:2.3:a:7-zip:7-zip:16.03
  • 7-Zip » 7-Zip » Version: 16.04
    cpe:2.3:a:7-zip:7-zip:16.04
  • 7-Zip » 7-Zip » Version: 17.00
    cpe:2.3:a:7-zip:7-zip:17.00
  • 7-Zip » 7-Zip » Version: 17.01
    cpe:2.3:a:7-zip:7-zip:17.01
  • 7-Zip » 7-Zip » Version: 18.00
    cpe:2.3:a:7-zip:7-zip:18.00
  • 7-Zip » 7-Zip » Version: 18.01
    cpe:2.3:a:7-zip:7-zip:18.01
  • 7-Zip » 7-Zip » Version: 18.03
    cpe:2.3:a:7-zip:7-zip:18.03
  • 7-Zip » 7-Zip » Version: 18.05
    cpe:2.3:a:7-zip:7-zip:18.05
  • 7-Zip » 7-Zip » Version: 18.06
    cpe:2.3:a:7-zip:7-zip:18.06
  • 7-Zip » 7-Zip » Version: 19.00
    cpe:2.3:a:7-zip:7-zip:19.00
  • 7-Zip » 7-Zip » Version: 19.02
    cpe:2.3:a:7-zip:7-zip:19.02
  • 7-Zip » 7-Zip » Version: 20.00
    cpe:2.3:a:7-zip:7-zip:20.00
  • 7-Zip » 7-Zip » Version: 20.02
    cpe:2.3:a:7-zip:7-zip:20.02
  • 7-Zip » 7-Zip » Version: 21.00
    cpe:2.3:a:7-zip:7-zip:21.00
  • 7-Zip » 7-Zip » Version: 21.02
    cpe:2.3:a:7-zip:7-zip:21.02
  • 7-Zip » 7-Zip » Version: 21.03
    cpe:2.3:a:7-zip:7-zip:21.03
  • 7-Zip » 7-Zip » Version: 21.04
    cpe:2.3:a:7-zip:7-zip:21.04
  • 7-Zip » 7-Zip » Version: 21.06
    cpe:2.3:a:7-zip:7-zip:21.06
  • 7-Zip » 7-Zip » Version: 21.07
    cpe:2.3:a:7-zip:7-zip:21.07
  • 7-Zip » 7-Zip » Version: 22.01
    cpe:2.3:a:7-zip:7-zip:22.01
  • 7-Zip » 7-Zip » Version: 23.01
    cpe:2.3:a:7-zip:7-zip:23.01
  • 7-Zip » 7-Zip » Version: 24.05
    cpe:2.3:a:7-zip:7-zip:24.05
  • 7-Zip » 7-Zip » Version: 24.06
    cpe:2.3:a:7-zip:7-zip:24.06
  • 7-Zip » 7-Zip » Version: 24.07
    cpe:2.3:a:7-zip:7-zip:24.07
  • 7-Zip » 7-Zip » Version: 24.08
    cpe:2.3:a:7-zip:7-zip:24.08
  • 7-Zip » 7-Zip » Version: 24.09
    cpe:2.3:a:7-zip:7-zip:24.09
  • 7-Zip » 7-Zip » Version: 25.00
    cpe:2.3:a:7-zip:7-zip:25.00
  • 7-Zip » 7-Zip » Version: 25.01
    cpe:2.3:a:7-zip:7-zip:25.01
  • 7-Zip » 7-Zip » Version: 9.18
    cpe:2.3:a:7-zip:7-zip:9.18
  • 7-Zip » 7-Zip » Version: 9.19
    cpe:2.3:a:7-zip:7-zip:9.19
  • 7-Zip » 7-Zip » Version: 9.20
    cpe:2.3:a:7-zip:7-zip:9.20
  • 7-Zip » 7-Zip » Version: 9.21
    cpe:2.3:a:7-zip:7-zip:9.21
  • 7-Zip » 7-Zip » Version: 9.22
    cpe:2.3:a:7-zip:7-zip:9.22
  • 7-Zip » 7-Zip » Version: 9.34
    cpe:2.3:a:7-zip:7-zip:9.34
  • 7-Zip » 7-Zip » Version: 9.35
    cpe:2.3:a:7-zip:7-zip:9.35
  • 7-Zip » 7-Zip » Version: 9.36
    cpe:2.3:a:7-zip:7-zip:9.36
  • 7-Zip » 7-Zip » Version: 9.38
    cpe:2.3:a:7-zip:7-zip:9.38


Products
Pricing
Contact Us

Shodan ® - All rights reserved