CVE-2026-48112

Vulnerability

A heap out-of-bounds read vulnerability exists in the Unix ar archive parser within 7-Zip, specifically in the BSD SYMDEF parser. When processing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field. This read can occur at a position equal to the buffer size, causing 4 bytes to be read past the end of the heap allocation, exposing uninitialized heap data. This affects versions 9.18 through 26.00 [1].

Exploitation

An attacker could exploit this vulnerability by crafting a malicious .ar archive containing a malformed BSD-style __.SYMDEF symbol table. When 7-Zip attempts to parse this archive, the vulnerable function will read beyond the allocated heap buffer. No specific user interaction or network access is detailed in the available references, but the vulnerability lies within the archive parsing logic.

Impact

Successful exploitation of this vulnerability results in a heap out-of-bounds read, which can lead to the disclosure of uninitialized heap memory. The exact contents of this memory are attacker-controlled to some extent by the archive structure, but the primary impact is information disclosure. The scope of the compromise is limited to the data that can be read from the heap at the time of parsing.

Mitigation

Version 26.01 of 7-Zip, released on April 27, 2026, addresses this issue. Users are advised to update to version 26.01 or later to mitigate this vulnerability [1].