Security researchers have disclosed a critical heap buffer overflow vulnerability in 7-Zip version 26.00 that enables attackers to achieve arbitrary code execution through a vtable hijack. Tracked as CVE-2026-48095, the flaw resides in the NTFS archive handler and carries a CVSS 3.1 score of 8.8 (High). All 7-Zip versions through 26.00 are affected, and users are urged to update to the patched version 26.01 immediately.
Technical Root Cause: Integer Overflow to Heap Buffer Overflow
The vulnerability originates in the CInStream::GetCuSize() function inside NtfsHandler.cpp. The function computes the NTFS compression-unit buffer size using a 32-bit shift operation. When a crafted NTFS image sets ClusterSizeLog to 28 or higher, and a compressed data attribute carries CompressionUnit set to 4, the combined shift exponent reaches 32, triggering undefined behavior in C++.
On x86 hardware, this causes the internal buffer to be allocated as just 1 byte due to hardware masking of shift counts. This undersized allocation is immediately used in a ReadStream call that attempts to write up to 256 MB of attacker-controlled data into the single-byte allocation.
Since the stream object is allocated only 304 bytes after the buffer on the heap, the first 64 KB read iteration overwrites the object vtable pointer. The second iteration dispatches through the corrupted vtable — a classic vtable hijack with the attacker in full control of the overwritten pointer via crafted NTFS cluster content.
Extension-Agnostic Attack Surface
One of the most dangerous aspects of CVE-2026-48095 is that it is completely extension-agnostic. The NTFS handler uses signature-based fallback detection, matching on the “NTFS” signature at byte offset 3. This means a crafted NTFS image disguised with any file extension — .7z, .zip, .rar, or even no extension at all — can trigger the vulnerable handler after the primary extension-matched handler rejects it.
No interaction beyond opening the crafted file is required. An attacker only needs to convince a target to open a malicious archive, which can easily be delivered via email, download link, or phishing campaign. This significantly widens the potential attack surface compared to vulnerabilities that only trigger through specific file formats.
Platform Impact and Memory Requirements
Both 32-bit and 64-bit builds of 7-Zip are affected. The severity of impact differs based on available system RAM:
- On 64-bit systems with 16 GB or more RAM, a large buffer allocation succeeds and execution proceeds directly to the overflow, enabling full remote code execution.
- On low-memory systems, the allocation failure limits impact to a denial-of-service crash rather than code execution.
Given that most modern enterprise workstations and servers exceed 16 GB of RAM, the majority of real-world targets are likely vulnerable to the full code execution path.
Discovery and Responsible Disclosure
The vulnerability was discovered and responsibly reported by Jaroslav Lobachevski of the GitHub Security Lab, assigned advisory GHSL-2026-140. Confirmation was achieved using UndefinedBehaviorSanitizer (UBSan) under Clang on Linux x64, which flagged the root-cause shift undefined behavior at NtfsHandler.cpp:687, followed by a cascading invalid vtable dereference.
The vulnerability is classified under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). The flawed buffer size computation has existed in 7-Zip since NTFS compressed stream support was first introduced, meaning the vulnerable code has been present across numerous versions for many years.
Affected Versions and Remediation
All 7-Zip versions through and including 26.00 contain this vulnerability. A patched release, 7-Zip 26.01, has been made available and addresses CVE-2026-48095 by correcting the buffer size computation in the NTFS handler.
Recommended actions for defenders and administrators:
- Update to 7-Zip 26.01 immediately on all systems where 7-Zip is installed.
- Audit software inventories — 7-Zip is commonly bundled with other software and may be present on systems where administrators are unaware of the installation.
- Treat all archive files from untrusted sources as potentially malicious, regardless of file extension.
- Consider sandboxing or restricting archive-extraction operations in high-risk environments until patches are applied across the fleet.
Given the ubiquity of 7-Zip across both enterprise and consumer environments, and the ease with which a malicious archive can be delivered through common attack vectors, CVE-2026-48095 should be treated as a high-priority patching item for all organizations.