CVE-2026-48101

Vulnerability

Versions 9.21 through 26.00 of 7-Zip contain an uninitialized memory disclosure vulnerability within the UEFI capsule (.scap) parser. The OpenCapsule function allocates a heap buffer based on an attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization. It then reads file contents into this buffer using ReadStream_FALSE, silently discarding its return value. If the input file is truncated, the uninitialized portion of the heap memory remains and is subsequently exposed as extracted file content via GetStream [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted, truncated UEFI capsule file to 7-Zip. When 7-Zip attempts to parse this file, it will read uninitialized heap memory into the buffer. The vulnerability does not require network access or special privileges, but it does require the user to interact with the malicious file, for example, by attempting to extract it.

Impact

Successful exploitation of this vulnerability allows an attacker to disclose uninitialized heap memory contents. This could potentially lead to the disclosure of sensitive information that was previously present in the heap, impacting the confidentiality of the system.

Mitigation

Version 26.0.1 of 7-Zip fixes this issue. This version was released on 2026-04-27 [1]. Users are strongly advised to update to version 26.0.1 or later to address this vulnerability.