New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems
\n \t
\n
<\/BR>
\n
\n \t
\n
<\/BR><\/p>\n
A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00, enabling attackers to achieve arbitrary code execution via a vtable hijack by exploiting a defect in the tool\u2019s NTFS archive handler.<\/p>\n
Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides in the When a crafted NTFS image sets The undersized 1-byte buffer is immediately used in a Since the stream object The second iteration dispatches through the corrupted vtable a classic vtable hijack with the attacker in full control of the overwritten pointer via crafted NTFS cluster content.<\/p>\n Both 32-bit and 64-bit builds are affected. On 64-bit systems with 16 GB or more RAM, the A particularly dangerous aspect of this vulnerability is its extension-agnostic attack surface. The NTFS handler uses signature-based fallback detection, matching on the This means a crafted NTFS image disguised with any file extension \u2014 The vulnerability carries a CVSS 3.1 score of 8.8 (High) with a vector The vulnerability was discovered<\/a> and responsibly reported by Jaroslav Loba\u010devski (@JarLob) of the GitHub Security Lab. Confirmation was achieved using UBSan (UndefinedBehaviorSanitizer) under Clang on Linux x64, which flagged the root-cause shift UB at Users are strongly advised to update 7-Zip to a patched version v26.01 immediately and avoid opening untrusted archive files or disk images of any extension until a fix is applied.<\/p>\n Follow us on\u00a0Google News<\/a>,\u00a0LinkedIn<\/a>,\u00a0and\u00a0X<\/a>\u00a0to Get More Instant Updates.<\/strong><\/p>\n The post New 7-Zip Vulnerabilities Let Attackers Execute Arbitrary Code and Compromise Systems<\/a> appeared first on Cyber Security News<\/a>.<\/p>\n<\/div>\nCInStream::GetCuSize()<\/code> function inside NtfsHandler.cpp<\/code>. The function computes the NTFS compression-unit buffer size using a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit)<\/code>.<\/p>\nClusterSizeLog >= 28<\/code> \u2014 a value explicitly accepted by the parser and a compressed data attribute carries CompressionUnit == 4<\/code>, the shift exponent reaches 32, triggering undefined behavior (UB) in C++. On x86 hardware, this UB causes _inBuf<\/code> to be allocated as just 1 byte due to hardware masking of shift counts.<\/p>\nReadStream_FALSE<\/code> call that writes up to 256 MB of attacker-controlled data into that single-byte allocation.<\/p>\nCInStream<\/code> is allocated only 304 bytes after _inBuf<\/code> on the heap, the first 64 KB read iteration overwrites the object\u2019s vtable pointer.<\/p>\n_outBuf.Alloc(8 GB)<\/code> call succeeds and execution proceeds directly to the overflow. On low-memory systems, allocation failure limits the impact to denial-of-service (DoS)<\/a>.<\/p>\n\"NTFS \"<\/code> signature at byte offset 3.<\/p>\n.7z<\/code>, .zip<\/code>, .rar<\/code>, or even no extension, can trigger the vulnerable handler after the extension-matched handler rejects it. No interaction beyond opening the crafted file is required.<\/p>\nAV:N\/AC:L\/PR:N\/UI:R\/S:U\/C:H\/I:H\/A:H<\/code>. It is classified under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). All 7-Zip versions through 26.00 are affected, as the flawed GetCuSize()<\/code> computation has existed since NTFS compressed stream support was first introduced.<\/p>\nNtfsHandler.cpp:687<\/code> followed by a cascading invalid vtable dereference leading to a SIGSEGV<\/code>.<\/p>\n