CVE-2026-48102

Vulnerability

Versions 9.11 through 26.00 of 7-Zip contain a heap out-of-bounds read vulnerability of up to 3 bytes within the UDF disc image handler's File Identifier Descriptor parser. This occurs in the CFileId::Parse function when processing crafted UDF images, specifically when the alignment-padding loop reads past the allocated buffer due to incorrect bounds checking after advancing the processed size. The UDF handler is automatically detected for .iso and .udf files [1].

Exploitation

An attacker can trigger this vulnerability by providing a specially crafted UDF image file. The vulnerability is triggered during the Open() operation when 7-Zip attempts to list or extract contents from this crafted image. No specific network position, authentication, or user interaction is required beyond the attacker's ability to present the crafted file to the victim's 7-Zip application [1].

Impact

Successful exploitation of this vulnerability results in a heap out-of-bounds read. This can lead to information disclosure, potentially acting as a 1-bit oracle per out-of-bounds byte read through the application's open/fail behavior. It can also cause a denial of service by crashing the application, especially under hardened memory allocators. There is no primitive for writing data or achieving remote code execution [1].

Mitigation

Version 26.01 of 7-Zip, released on April 27, 2026, addresses this issue. Users are advised to update to version 26.01 or later to remediate the vulnerability [1].