Skip to main content

7-Zip CVE-2026-48104

| EUVDEUVD-2026-34853 MEDIUM
Use of Uninitialized Resource (CWE-908)
2026-06-05 GitHub_M
4.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.2 MEDIUM
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
SUSE
3.6 LOW
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 18:01 EUVD
Analysis Generated
Jun 05, 2026 - 17:20 vuln.today

DescriptionGitHub Advisory

7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.

AnalysisAI

Uninitialized heap read in 7-Zip's SquashFS archive handler (versions 9.18 through 26.00) can crash the application and leak raw heap memory contents when a user opens a specially crafted archive. The flaw originates in the _blockToNode array, which is allocated but never zero-initialized; an attacker-controlled blockIndex derived from the RootInode superblock field drives a binary search over uninitialized slots, producing a chained out-of-bounds read with no write primitive. No public exploit has been identified at time of analysis, and the description explicitly characterizes exploitation as heap-layout-dependent and not reliably triggerable, which is consistent with the CVSS AC:H rating and limits practical risk despite the network-deliverable attack surface.

Technical ContextAI

The affected component is 7-Zip's SquashFS archive handler, identified via CPE cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:* as the mcmilk community-maintained fork. The root cause is CWE-908 (Use of Uninitialized Resource): _blockToNode is allocated with capacity for every metadata block in the SquashFS image but is populated only when an inode crosses a block boundary. Because the underlying C++ allocator does not zero-initialize plain-old-data (POD) storage, a crafted image with few inodes spanning many blocks leaves most array slots holding raw heap residue from prior allocations. The OpenDir function reads two of these uninitialized slots as the left and right bounds for a binary search over _nodesPos, then dereferences the computed midpoint without bounds validation. If the dereferenced value matches the search key, the returned index is used to read a full node struct from _nodes, whose fields feed further directory parsing - forming a chained OOB read primitive. The SquashFS handler is enabled by default in stock 7z.dll, and the vulnerability triggers during Open() without any interaction beyond the act of opening the archive.

RemediationAI

Upgrade 7-Zip to version 26.01, which resolves this vulnerability per the CVE description and the GitHub Security Lab advisory (GHSL-2026-115, GHSL-2026-122) at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/. If an immediate upgrade is not feasible, restrict the ability to open untrusted SquashFS archives via 7-Zip by blocking SquashFS file extensions (.sqfs, .sfs) at email gateways, web proxies, or endpoint DLP controls - this eliminates the delivery vector at the cost of blocking legitimate SquashFS file handling. Because the SquashFS handler is compiled into 7z.dll and enabled by default, there is no documented runtime configuration switch to disable it selectively; removal or replacement of the DLL would mitigate the issue but would disable all 7z.dll-dependent functionality. No other vendor-documented workarounds are available in the referenced advisory.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

CVE-2026-48104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy