By rssfeeds-admin A critical heap buffer overflow vulnerability (CVE-2026-48095 / GHSL-2026-140) has been disclosed in 7-Zip version 26.00, affecting the popular open-source archive utility’s NTFS handler.
The flaw enables attackers to execute arbitrary code via a classic vtable hijack, requiring only that a victim open a specially crafted NTFS image file.
The vulnerability resides in the CInStream::GetCuSize() function within NtfsHandler.cpp, which computes the NTFS compression-unit buffer size using a 32-bit shift expression: (UInt32)1 << (BlockSizeLog + CompressionUnit).
Critical New 7-Zip Vulnerability
When an attacker-crafted NTFS image sets ClusterSizeLog to 28 or higher, a value explicitly accepted by the parser, and a compressed data attribute with CompressionUnit == 4, the shift exponent reaches 32, triggering undefined behavior (UB) in C++.
On x86 hardware, this UB causes _inBuf to be allocated as only 1 byte instead of its intended size, while the subsequent ReadStream_FALSE call attempts to write up to 256 MB of attacker-controlled data into that 1-byte buffer, SecurityLab said.
Heap layout analysis on a release build reveals that the CInStream stream object is allocated just 304 bytes after _inBuf on the heap.
The first Read() iteration, writing 64 KB of attacker-controlled cluster content, overwrites the stream object’s vtable pointer after only 304 bytes of overflow.
The second Read() call then dispatches through the corrupted vtable a textbook vtable hijack. Because the attacker fully controls the written NTFS cluster data, they control the overwritten vtable pointer, making reliable code execution feasible.
Both 32-bit and 64-bit builds are affected, though the behavior differs slightly. On 32-bit systems, both _inBuf and _outBuf receive undersized allocations, causing the heap to overflow unconditionally.
On 64-bit builds, the _outBuf allocation may reach 8 GB, succeeding on systems with 16 GB or more RAM, after which execution proceeds to ReadStream_FALSE and the same overflow occurs.
On low-memory 64-bit systems, impact may be limited to denial-of-service. Critically, the NTFS handler does not require files with .ntfs or .img extensions to trigger the bug.
Because 7-Zip uses signature-based fallback detection, a crafted NTFS image with any extension, including .7z, .zip, .rar, or none at all, will be routed to the vulnerable handler after extension-matched handlers fail to open it. This significantly broadens the attack surface.
The flaw was discovered and reported by Jaroslav Lobačevski (@JarLob) of the GitHub Security Lab. The vulnerability was confirmed using UBSan (clang, Linux x64), which produced a runtime error at NtfsHandler.cpp:687 confirming the root-cause shift UB, followed by a SEGV due to an invalid vtable pointer.
Users are strongly advised to update 7-Zip to a version beyond 26.00 as soon as a patched release becomes available. The GetCuSize() computation has been present since the introduction of NTFS compressed stream support, meaning all prior versions are also vulnerable.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post New 7-Zip Vulnerabilities Enable Arbitrary Code Execution appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.