Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.
AnalysisAI
Off-by-one heap out-of-bounds read in 7-Zip's WIM archive handler (versions 9.34-26.00) allows a remote unauthenticated attacker to trigger denial of service - and potentially minor information disclosure - by delivering a crafted WIM file. The vulnerability is zero-click exploitable in the GUI: 7zFM.exe automatically calls GetRawProp(kpidNtSecure) for every listed item, triggering the OOB read without any additional user interaction beyond opening or navigating to the malicious archive. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.
Technical ContextAI
The vulnerable code resides in CHandler::GetSecurity within CPP/7zip/Archive/Wim/WimHandler.cpp, which handles the Windows Imaging (WIM) archive format. The WIM handler maintains a per-image SecurOffsets table of numEntries + 1 cumulative offsets. The off-by-one arises because the bounds check securityId >= SecurOffsets.Size() permits securityId to equal numEntries, after which the code dereferences SecurOffsets[securityId + 1] - reading one UInt32 past the end of the heap-allocated CRecordVector, which performs no internal bounds checking on operator[]. The root cause is CWE-125 (Out-of-bounds Read). Critically, the securityId value is attacker-controlled: it resides at offset +0xC within any WIM directory entry embedded in WIM metadata. The handler is registered by default for .wim, .swm, .esd, and .ppkg extensions and is active in stock 7z.dll. The CPE string (cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:*) attributes the flaw to the mcmilk-maintained 7-Zip fork on GitHub, though the description also implicates binaries (7zFM.exe, 7zz) associated with official 7-Zip releases - this overlap should be verified with the vendor. The vulnerability has been confirmed via ASan (AddressSanitizer), establishing a reliable crash signal.
RemediationAI
No vendor-released patch with a confirmed fixed version number is available in the provided data. Upstream GitHub Security Lab advisories GHSL-2026-115 and GHSL-2026-122 document the flaw at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/ - monitor this advisory and the mcmilk 7-Zip GitHub repository for a patched release. Until a fix is available, the most targeted compensating control is to avoid opening untrusted WIM, SWM, ESD, or PPKG files with 7-Zip directly; these extensions can be disassociated from 7-Zip's file handler registration to prevent accidental GUI triggering. For pipeline or server-side environments that automatically process archives, filter or reject WIM-format inputs at ingestion boundaries as a temporary measure - note this blocks legitimate WIM processing as a side effect. The vulnerability is not exploitable for code execution under current analysis, so urgency of patching is lower than for memory-write primitives; however, updating to the patched release once available remains the definitive remediation.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34852