CVE-2026-48103

Vulnerability

Versions 9.34 through 26.00 of 7-Zip contain an off-by-one heap out-of-bounds read vulnerability within the WIM (Windows Imaging) archive handler's security descriptor lookup. The CHandler::GetSecurity function incorrectly accesses memory one byte past the allocated SecurOffsets table when processing a security ID, due to a flawed bounds check that allows securityId to equal numEntries [1]. This handler is active for .wim, .swm, .esd, and .ppkg files.

Exploitation

An attacker can trigger this vulnerability by crafting a WIM archive with a malicious directory entry. When 7-Zip lists the contents of such an archive, either through the GUI (7zFM.exe) or command-line interface (7zz l -slt), the GetRawProp(kpidNtSecure) function is called. This function reads an attacker-controlled securityId from the WIM metadata, leading to the out-of-bounds read when SecurOffsets[securityId + 1] is accessed [1]. No user interaction beyond opening or listing the archive is required.

Impact

Successful exploitation of this vulnerability results in a heap out-of-bounds read. The read value is used arithmetically as a length and is not directly exposed to the attacker, limiting the impact to a potential denial of service, especially under hardened memory allocators. There is no write primitive, and therefore no arbitrary code execution or significant information disclosure is possible [1].

Mitigation

7-Zip version 26.01, released on April 27, 2026, addresses this vulnerability. Users are advised to update to version 26.01 or later. No workarounds are specified in the available references [1].