Critical Heap Buffer Overflow in 7-Zip 26.00 Enables Arbitrary Code Execution via NTFS Handler
A critical heap buffer overflow vulnerability (CVE-2026-48095, CVSS 8.8) in 7-Zip version 26.00 allows attackers to execute arbitrary code by exploiting a defect in the NTFS archive handler.
A critical heap buffer overflow vulnerability has been disclosed in 7-Zip version 26.00, enabling attackers to achieve arbitrary code execution via a vtable hijack by exploiting a defect in the tool's NTFS archive handler. Tracked as CVE-2026-48095 and assigned advisory GHSL-2026-140, the flaw resides in the CInStream::GetCuSize() function inside NtfsHandler.cpp.
The vulnerability arises from a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit). When a crafted NTFS image sets ClusterSizeLog = 28 and CompressionUnit == 4, the shift exponent reaches 32, triggering undefined behavior (UB) in C++. On x86 hardware, this UB causes _inBuf to be allocated as just 1 byte due to hardware masking of shift counts. The undersized 1-byte buffer is then used in a ReadStream_FALSE call that writes up to 256 MB of attacker-controlled data into that single-byte allocation.
Since the stream object CInStream is allocated only 304 bytes after _inBuf on the heap, the first 64 KB read iteration overwrites the object's vtable pointer. The second iteration dispatches through the corrupted vtable — a classic vtable hijack with the attacker in full control of the overwritten pointer via crafted NTFS cluster content. Both 32-bit and 64-bit builds are affected. On 64-bit systems with 16 GB or more RAM, the _outBuf.Alloc(8 GB) call succeeds and execution proceeds directly to the overflow. On low-memory systems, allocation failure limits the impact to denial-of-service (DoS).
A particularly dangerous aspect of this vulnerability is its extension-agnostic attack surface. The NTFS handler uses signature-based fallback detection, matching on the "NTFS " signature at byte offset 3. This means a crafted NTFS image disguised with any file extension — .7z, .zip, .rar, or even no extension — can trigger the vulnerable handler after the extension-matched handler rejects it. No interaction beyond opening the crafted file is required.
The vulnerability carries a CVSS 3.1 score of 8.8 (High) with a vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. It is classified under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound). All 7-Zip versions through 26.00 are affected, as the flawed GetCuSize() computation has existed since NTFS compressed stream support was first introduced.
The vulnerability was discovered and responsibly reported by Jaroslav Lobačevski (@JarLob) of the GitHub Security Lab. Confirmation was achieved using UBSan (UndefinedBehaviorSanitizer) under Clang on Linux x64, which flagged the root-cause shift UB at NtfsHandler.cpp:687 followed by a cascading invalid vtable dereference leading to a SIGSEGV. Users are strongly advised to update 7-Zip to a patched version immediately and avoid opening untrusted archive files or disk images of any extension until a fix is applied.