CVE-2026-48092

Vulnerability

Versions 9.34 through 26.00 of 7-Zip are affected by a heap memory disclosure vulnerability in the SquashFS handler on 32-bit builds. An integer overflow in the ReadBlock function allows an attacker-controlled node.Offset value to bypass fragment bounds checks, leading to memcpy reading heap memory preceding the cache buffer into the extracted file. This issue is only exploitable on 32-bit builds where size_t is 32 bits, as the addition offsetInBlock + blockSize can wrap modulo 2³² [1].

Exploitation

An attacker needs to provide a specially crafted SquashFS archive to a vulnerable 32-bit build of 7-Zip. The vulnerability is triggered when the ReadBlock function processes a fragment with an attacker-controlled offset. The overflow occurs because node.Offset is read directly from the inode as a UInt32 without validation, and the subsequent addition with blockSize can wrap around on 32-bit systems, bypassing the check offsetInBlock + blockSize > _cachedUnpackBlockSize [1].

Impact

Successful exploitation allows an attacker to disclose heap memory preceding the cache buffer. This memory may contain sensitive information, potentially compromising system integrity or leading to unauthorized data access [1].

Mitigation

Version 26.01 of 7-Zip, released on April 27, 2026, addresses this vulnerability. Users are advised to update to version 26.01 or later. No workarounds are specified in the available references [1].