GitHub Security Lab has disclosed CVE-2026-48095 (GHSL-2026-140), a heap buffer overflow in 7-Zip’s NTFS image parser that gives an attacker arbitrary code execution from a single double-click. The bug was found by Jaroslav Lobačevski and carries a CVSS 3.1 score of 8.8. Every release through 7-Zip 26.00 is vulnerable; the fix landed in 26.01, which Igor Pavlov pushed quietly to the project site without a CVE reference in the changelog. A working proof-of-concept generator — gen_ntfs_sparse.py — is already public.

What Happened

The defect lives in CInStream::GetCuSize(), which calculates the buffer size for an NTFS compression unit using a 32-bit left shift: (UInt32)1 << (BlockSizeLog + CompressionUnit). The NTFS parser accepts a ClusterSizeLog of 28 or higher, and a compressed data attribute can set CompressionUnit == 4. Add them and the shift exponent reaches 32 — undefined behavior in C++. On the toolchains 7-Zip ships with, the UB collapses the multiplier to 0, and the subsequent allocation for _inBuf becomes one byte.

7-Zip then hands that one-byte buffer to ReadStream_FALSE, which happily writes up to 256 MB of attacker-supplied bytes into it. The neighboring CInStream object sits only 304 bytes further along the heap; the first 64 KB read iteration steamrolls its vtable pointer. The second iteration dispatches a virtual call through the now-attacker-controlled vtable — a textbook vtable hijack with full control over RIP/EIP.

Why You Cannot Just “Avoid NTFS Images”

The instinct is to wave this off — who double-clicks .ntfs files? Nobody does. That is not how the bug gets reached.

7-Zip uses signature-based fallback when its primary handler fails to parse an archive. A file named invoice.pdf, Q2_report.zip, or release.7z will be routed through the NTFS handler if the primary parser bails and the first bytes match an NTFS boot sector. The attacker controls both the filename and the content, so they pick whatever extension is most likely to be opened. Email attachments, shared-drive uploads, Slack/Teams file drops, browser downloads, and forensic-tooling pipelines that triage unknown samples in 7-Zip all hit the same code path.

Impact

7-Zip is everywhere infrastructure people do not normally think to inventory: Windows admin workstations, build agents, malware sandboxes, forensic VMs, the p7zip and 7zz binaries on Linux servers used for log rotation and archive ingestion, and CI steps that unpack vendor SDKs. Anywhere a CI runner unpacks an untrusted upload through 7-Zip — release assets, plugin marketplaces, customer-submitted bundles — is reachable from a network position. The vtable hijack gives full control of the parsing process, which on a build agent is generally the same identity that holds your signing keys, registry credentials, and deploy tokens.

There is no authentication requirement, no user interaction beyond opening the file in 7-Zip, and no exotic precondition on the host. ASLR and DEP raise the bar, but a vtable overwrite with attacker-controlled bytes is a friendly primitive for ROP, and the function table of CInStream is well-understood from public source.

Mitigation

Upgrade to 7-Zip 26.01 on every Windows desktop, every build agent, every analyst VM, and every Linux box running p7zip or the upstream 7zz binary. Watch for distro lag: p7zip is unmaintained upstream, so check whether your package manager is shipping the patched code or a fork (the p7zip-zstd and Debian/Ubuntu forks have historically trailed Igor’s tree by weeks). On macOS, keka and other 7-Zip-derived tools should also be checked against their bundled library version.

If you cannot patch immediately:

  • Block inbound archives at the mail gateway and disable 7-Zip’s right-click “Open archive” handler on workstations where users do not need it.
  • For CI pipelines, prefer bsdtar (libarchive) or unzip for known formats and reserve 7-Zip for cases where you actually need its broader format coverage.
  • Sandbox 7-Zip invocations on build agents (Firejail, Bubblewrap, or a Docker container with no host mounts and no network).

Detection: any 7-Zip process that spawns a child of cmd.exe, powershell.exe, sh, or bash while parsing an archive should fire on EDR. There is no benign reason for 7zFM.exe or 7zz to launch a shell.

Sources