7-Zip Flaws Allow Arbitrary Code Execution, Vulnerabilities Attackers

A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00. This flaw enables attackers to achieve arbitrary code execution by exploiting a defect in the tool’s NTFS archive handler, specifically through a vtable hijack.

Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides in the CInStream::GetCuSize() function inside NtfsHandler.cpp. The function computes the NTFS compression-unit buffer size using a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit).

When a crafted NTFS image sets ClusterSizeLog >= 28 — a value explicitly accepted by the parser and a compressed data attribute carries CompressionUnit == 4, the shift exponent reaches 32, triggering undefined behavior (UB) in C++. On x86 hardware, this UB causes _inBuf to be allocated as just 1 byte due to hardware masking of shift counts.

The undersized 1-byte buffer is immediately used in a ReadStream_FALSE call that writes up to 256 MB of attacker-controlled data into that single-byte allocation.

Since the stream object CInStream is allocated only 304 bytes after _inBuf on the heap, the first 64 KB read iteration overwrites the object’s vtable pointer.

The second iteration dispatches through the corrupted vtable a classic vtable hijack with the attacker in full control of the overwritten pointer via crafted NTFS cluster content.

Both 32-bit and 64-bit builds are affected. On 64-bit systems with 16 GB or more RAM, the _outBuf.Alloc(8 GB) call succeeds and execution proceeds directly to the overflow. On low-memory systems, allocation failure limits the impact to denial-of-service (DoS).

A particularly dangerous aspect of this vulnerability is its extension-agnostic attack surface. The NTFS handler uses signature-based fallback detection, matching on the "NTFS " signature at byte offset 3.

This means a crafted NTFS image disguised with any file extension — .7z, .zip, .rar, or even no extension, can trigger the vulnerable handler after the extension-matched handler rejects it. No interaction beyond opening the crafted file is required.

The vulnerability carries a CVSS 3.1 score of 8.8 (High) with a vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It is classified under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). All 7-Zip versions through 26.00 are affected, as the flawed GetCuSize() computation has existed since NTFS compressed stream support was first introduced.

The vulnerability was discovered and responsibly reported by Jaroslav Lobačevski (@JarLob) of the GitHub Security Lab. Confirmation was achieved using UBSan (UndefinedBehaviorSanitizer) under Clang on Linux x64, which flagged the root-cause shift UB at NtfsHandler.cpp:687 followed by a cascading invalid vtable dereference leading to a SIGSEGV.

Users are strongly advised to update 7-Zip to a patched version immediately and avoid opening untrusted archive files or disk images of any extension until a fix is applied.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.