7-Zip: Update closes code smuggling vulnerability
The popular compression program 7-Zip contains a vulnerability that allows the injection of malicious code. An update is available.
(Image: heise medien)
IT researchers have discovered a security vulnerability in the archiving program 7-Zip that allows attackers to inject malicious code. Opening a carefully crafted archive file is sufficient for this. An update to close the security hole is available.
The GitHub Security Team has published a corresponding vulnerability entry. According to the entry, malicious actors can provoke a heap-based buffer overflow in 7-Zip 26.00. When processing compressed NTFS streams, a buffer that is too small can be created, which can lead to the app crashing or even to the execution of arbitrary code (CVE-2026-48095, CVSS 8.8, risk “high”).
The behavior of the vulnerability differs depending on the word width of the system architecture. 32-bit builds are affected in any case; on 64-bit systems, it depends on how much RAM is actually installed in the system. On systems with 16 GByte and more, memory allocation takes place correctly so that malicious code can be injected there.
On systems with less memory, this can fail and then leads to a denial-of-service state. The report also contains proof-of-concept code, so attackers could soon include the vulnerability in their standard repertoire.
Videos by heise
The SOC Prime Team has published a blog post about the vulnerability. The vulnerability is dangerous because attackers do not need to use special file extensions for the manipulated archives to activate the NTFS handler. The extensions can also be arbitrary, such as .7z, .zip, .rar, or similar. If the handlers responsible for them cannot process the data in the file, 7-Zip applies a kind of MIME magic and feeds the NTFS handler with the input because it recognizes and processes the file.
Updated Software
The problem exists in 7-Zip 26.00. On April 27, 2026, 7-Zip 26.01 was released, which closes this security vulnerability, among others. Since 7-Zip does not have an automatic update mechanism, users and administrators must perform the update manually. At the Windows command prompt, the command winget upgrade --all should find and install the update.
Otherwise, the current 7-Zip version is also available for download on the project's download page. Another download page on Sourceforge also provides updates for various platforms besides Windows and also lists further changes compared to version 26.00.
The update should be done quickly. Last November, attackers exploited a vulnerability in 7-Zip to push malware to their victims.
(dmk)
