Secure Bulletin Navigating the cyber sea with knowledge
Home > Articolo > Critical 7-Zip Flaw Lets Booby-Trapped Archives Hijack Your System
Critical 7-Zip Flaw Lets Booby-Trapped Archives Hijack Your System
Read Time:3 Minute, 18 Second

A newly disclosed security flaw in 7-Zip, arguably the most widely deployed free file-compression utility in the world, could let an attacker run arbitrary code on a victim’s machine. The bug, tracked as CVE-2026-14266, has already been fixed in the latest release, but the sheer install base of 7-Zip means unpatched systems will remain an attractive target for some time.

A Heap Overflow Hiding Inside XZ Data

The root cause lies in how 7-Zip parses XZ-compressed data streams. XZ is a widely used compression format, and 7-Zip’s handling of “chunked” XZ data contains a flaw that allows specially malformed input to trigger a heap-based buffer overflow.

In plain terms, a heap overflow happens when a program tries to write more data into a reserved block of memory than that block was actually allocated to hold. The excess data spills over into adjacent memory, corrupting it. Attackers who can precisely control what gets written into that overflow can hijack a program’s execution flow and run their own malicious code instead of the legitimate application logic, all within the security context of whatever user account opened the file.

How a Victim Gets Compromised

Unlike some server-side vulnerabilities that can be triggered without any user involvement, this flaw requires a victim to take some action. Specifically, exploitation happens if a target either opens a maliciously crafted archive file, or visits a web page engineered to deliver the malformed XZ payload through the browser.

According to the advisory published through the Zero Day Initiative, once that action occurs, the corrupted XZ data overflows the heap buffer during processing, and the attacker’s payload executes quietly in the background, with no obvious warning sign to the user that anything unusual has happened.

Why This Matters at Scale

7-Zip’s popularity is precisely what makes this bug significant despite the user-interaction requirement. It’s bundled into countless IT workflows, embedded in automated extraction pipelines, and used casually by everyday users who trust that opening a zip-like file is a routine, low-risk action.

That trust is exactly what attackers exploit. Phishing campaigns already rely heavily on malicious attachments to get victims to open files; a compressed archive exploiting a code-execution bug is a natural fit for that playbook, whether the end goal is deploying commodity malware, staging a ransomware payload, or simply establishing an initial foothold inside a larger network for later lateral movement.

Compounding the risk, most users don’t deeply inspect the internal structure of a compressed file before extracting or opening it. A malicious XZ archive can be made to look entirely ordinary right up until the moment it’s opened, at which point the exploit has already fired.

Patch Details and Recommended Mitigations

The vulnerability is resolved in 7-Zip version 26.02. Security researchers and the vendor recommend the following steps for users and IT administrators alike:

  • Update to 7-Zip 26.02 or later immediately across all managed endpoints.
  • Avoid opening archive files that arrive from unknown senders or untrusted download sources, even if the filenames look legitimate.
  • Enable scanning of email attachments specifically for compressed file formats, since many gateway filters treat archives as lower priority than obvious executables.
  • Provide employee awareness training that specifically calls out the risk of unsolicited compressed attachments, not just executable files.

A Reminder About Trusted Software

The flaw was responsibly disclosed by researcher Landon Peng of Lunbun LLC, which allowed 7-Zip’s maintainers to ship a fix before the details became public. Even so, CVE-2026-14266 is a useful reminder that widely trusted, long-established software isn’t immune to serious memory-safety bugs. Compression utilities in particular sit at a uniquely exposed position in the software supply chain: they’re built specifically to parse untrusted, attacker-controllable input by default. Organizations should prioritize rolling out this patch broadly and continue reinforcing cautious file-handling habits to reduce their exposure to this and future compression-related vulnerabilities.

Share: Twitter  |  Facebook  |  LinkedIn
Join the discussion

This is a blog in the Fediverse: you can find this article everywhere with @blog@securebulletin.com and every comment/answer will appear here.

If you want to comment on Critical 7-Zip Flaw Lets Booby-Trapped Archives Hijack Your System, use the discussion on Forum.

>> forum community

Comments

Leave a Reply