TL;DR
The Zero Day Initiative published advisory ZDI-26-444 on July 15, 2026. It covers a 7-Zip vulnerability tracked as CVE-2026-14266, scored CVSS 7.0, that can lead to remote code execution. Version 26.02 already carries the fix.
Why it matters
7-Zip runs on countless desktops, servers, and build pipelines. People open archives from email and downloads every day. A parsing bug therefore turns routine file handling into a code execution risk. One limit applies: the target must open a malicious file or visit a malicious page.
How the attack works
The flaw sits in how 7-Zip processes XZ chunked data. Crafted XZ-compressed data can overflow a heap-based buffer. An attacker who wins that race runs code in the context of the current process. No prior privileges are needed.
The score reflects real limits. ZDI’s advisory rates the attack vector as local, with high complexity and required user interaction. Those factors hold the rating at 7.0 despite full impact on confidentiality, integrity, and availability.
Exploitation status
Nobody has confirmed exploitation in the wild. No public proof-of-concept exists either. Landon Peng of Lunbun LLC reported the issue on June 5, 2026, and ZDI released the 7-Zip vulnerability details through coordinated disclosure six weeks later.
Affected versions
ZDI does not publish a full affected range. Instead, the advisory states only that 7-Zip 26.02 contains the fix. Treat every earlier build as exposed until the vendor says otherwise.
Patch and mitigation steps
Update now. 7-Zip shipped 26.02 on June 25, 2026, so the fix landed three weeks before the advisory went public. Grab it from the official 7-Zip download page. Also hunt for bundled copies of 7z.dll inside other applications, since those often lag behind. Finally, remind users to treat archives from unknown senders with care. That habit blunts this 7-Zip vulnerability and the next one alike.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.