New 7-Zip Heap Buffer Overflow Disclosed with Public PoC

Security researchers have uncovered a critical security flaw in the popular file archiver 7-Zip. Specifically, this 7-Zip heap buffer overflow vulnerability allows attackers to crash applications or execute arbitrary code. The bug affects version 26.00 and tracks as CVE-2026-48095. Jaroslav Lobačevski from the GitHub Security Lab (GHSL) discovered the structural flaw. Consequently, the team publicly disclosed the full details and proof-of-concept exploit code to the security community.

Inside the Technical Root Cause

The issue stems from an under-allocation error in the NTFS compressed stream buffer. The technical report states that “a heap buffer overflow vulnerability exists in the NTFS archive handler in 7-Zip”. This problem occurs within the CInStream::GetCuSize() function during size computation. Furthermore, a crafted NTFS image can force an integer shift exponent to reach 32. As a result, the code triggers undefined behavior in C++. Consequently, the application allocates an internal buffer of just 1 byte.

Mechanism of the Heap Overflow

The vulnerability quickly escalates during data execution. Therefore, the application experiences a massive memory overwrite. The report notes that “the subsequent ReadStream_FALSE writes 256 MB of attacker-controlled data into this 1-byte buffer.” Because the buffer is tiny, the writing process immediately spills over into adjacent heap memory. For instance, the data overwrites the stream object’s vtable pointer after only 304 bytes. Meanwhile, the second read iteration dispatches execution through this corrupted vtable. Ultimately, this classic vtable hijack can allow successful arbitrary code execution on modern systems.

Broad Attack Surface and Risks

Attackers do not need to rely on specific file extensions to exploit this 7-Zip heap buffer overflow. However, 7-Zip uses signature-based fallback detection during file extraction. When an extension match fails, the software automatically tries all remaining archive handlers in priority order. Specifically, the NTFS handler matches a signature at byte offset 3. Thus, a crafted file disguised as a .7z, .zip, or .rar archive will still trigger the exploit.

Public Disclosure and Mitigation

The security community currently faces a heightened risk due to public disclosure. Specifically, the researcher published a functional python-based proof-of-concept generator named gen_ntfs_sparse.py. This tool synthesizes a 512 MB sparse NTFS image from scratch to trigger the undefined behavior. Because the exploit script is easily accessible, malicious actors can quickly adapt it for real-world attacks. Consequently, users must exercise caution when opening untrusted archive files from unverified sources. Additionally, administrators should update their 7-Zip installations immediately to prevent potential system compromise.