Security Intelligence
Loading table of contents...
At a glance: A high-severity vulnerability in 7-Zip (CVE-2026-48095) exposes systems to potential code execution through malicious archive files, with public proof-of-concept code now available. The flaw requires only that a user or system opens a crafted file, making common workflows such as email attachments and downloads viable attack paths. Organizations running 7-Zip 26.00 are at risk until updated to version 26.01, particularly where external files are routinely processed.
Threat summary
On May 22, a researcher published proof-of-concept (PoC) code for a high-severity vulnerability in the 7-Zip file archiver. The vulnerability was disclosed through GitHub Security Lab advisory GHSL-2026-140, which includes detailed technical analysis and a PoC generator.
The issue, tracked as CVE-2026-48095, is a heap-based buffer overflow caused by an integer overflow in memory size calculation, leading to out-of-bounds writes and potential code execution. The flaw occurs because 7-Zip miscalculates how much memory is required when processing certain file data. It allocates a very small buffer and then writes a large amount of attacker-controlled data into it, resulting in memory corruption.
The vulnerability carries a CVSS score of 8.8, indicating high severity.
Exploitation becomes possible when:
-
A system is running 7-Zip 26.00 or earlier
-
A file from an external source is opened or automatically processed
-
That file contains a crafted NTFS structure designed to trigger the memory handling flaw
The malicious content can be embedded in files that appear to be standard archives such as ZIP or 7z, since 7-Zip processes files based on content rather than extension. Opening the file is sufficient to trigger the issue, and the outcome depends on the system environment, with results ranging from application crash to potential code execution in the context of the user or service handling the file.
A patched version, 7-Zip 26.01, was released on April 27, 2026.
Analysis
Because 7-Zip is frequently used to open files received through email, downloads, and file-sharing platforms, this vulnerability introduces risk across common enterprise workflows. Environments that automatically process archives, such as file servers or applications that extract uploaded content, are exposed if they rely on vulnerable versions.
Updating 7-Zip to version 26.01 or later removes the vulnerable code path and addresses the issue. Because 7-Zip does not include an automatic update mechanism, validating deployed versions across endpoints and server environments reduces exposure.
Reducing exposure to untrusted archive files lowers the likelihood of triggering the vulnerability. Monitoring for abnormal 7-Zip activity or unexpected archive processing events can provide visibility into potential exploitation attempts.
Stay on top of emerging threats like this.
Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities.
