CVE-2026-48104

Vulnerability

Versions 9.18 through 26.00 of 7-Zip contain an uninitialized heap read vulnerability within the SquashFS archive handler. This occurs due to a sparsely populated index array where allocated memory slots can contain raw heap contents instead of zeros. The vulnerability is triggered when opening a crafted SquashFS archive, which causes the OpenDir function to read uninitialized memory, leading to a chained out-of-bounds read primitive that is dependent on heap layout and not reliably triggerable [1].

Exploitation

An attacker can exploit this vulnerability by crafting a SquashFS archive. The vulnerability is triggered during the Open() operation without requiring any user interaction beyond opening the file. The attacker influences the blockIndex field in the superblock, which leads to the reading of uninitialized heap memory. This memory is then used in a binary search that dereferences a midpoint without bounds checking, potentially leading to further out-of-bounds reads [1].

Impact

Successful exploitation of this vulnerability can lead to a denial of service due to a wild-pointer dereference. Additionally, it may result in heap information disclosure, as uninitialized memory contents can be read. However, the vulnerability does not provide a write primitive [1].

Mitigation

Version 26.01 of 7-Zip, released on April 27, 2026, addresses this vulnerability. Users are advised to update to version 26.01 or later to mitigate the risk. No workarounds are available for earlier versions [1].