CVE-2026-48111

Vulnerability

Versions 9.21 through 26.00 of 7-Zip contain an out-of-bounds read vulnerability in the ParseDepedencyExpression function within the UEFI firmware image parser (CPP/7zip/Archive/UefiHandler.cpp). The vulnerability arises from an incorrect comparison (>) instead of (>=) when validating an opcode byte against the size of the kExpressionCommands static array. This allows an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in the .rodata section. The UEFI handler is enabled by default in 7z.dll [1].

Exploitation

An attacker can trigger this vulnerability by crafting a UEFI firmware image with a SECTION_DXE_DEPEX or SECTION_PEI_DEPEX section, where the first byte of the section body is 0x0A. This crafted archive can be processed automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections. No special privileges or user interaction are required beyond opening the malicious archive [1].

Impact

Dereferencing the out-of-bounds value as a const char * and passing it through strlen and memcpy into the archive's Characts property can lead to either a denial of service (access violation) if adjacent bytes are not readable, or a minor information disclosure. The disclosure may reveal an adjacent .rdata string literal into the archive metadata. The vulnerability does not allow for writing data, nor does it disclose heap data, secrets, or ASLR base addresses [1].

Mitigation

Version 26.01 of 7-Zip, released on 2026-04-27, addresses this issue. Users are advised to update to version 26.01 or later. No workarounds are available for older versions [1].