Severity by source
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
AV:L/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by a sparsely populated index array. In the SquashFS handler, _blockToNode is allocated with capacity for every metadata block but populated only when an inode crosses a block boundary, so a crafted image with few inodes spanning many blocks leaves most slots holding raw heap contents (the underlying allocator does not zero-initialize POD storage). When OpenDir looks up an attacker-influenced blockIndex (derived from the RootInode superblock field), it reads two of these uninitialized slots and passes them as the left/right bounds of a binary search over _nodesPos, which dereferences the midpoint without bounds checking; if the resulting value happens to match the search key, the returned index is used to read a full node struct from _nodes whose fields feed further directory parsing, forming a chained OOB read primitive that is heap-layout-dependent and not reliably triggerable. The SquashFS handler is enabled by default in stock 7z.dll and the issue triggers during Open() with no interaction beyond opening the file; impact is denial of service from wild-pointer dereference and potential heap information disclosure, with no write primitive. Version 26.01 fixes the issue.
AnalysisAI
Uninitialized heap read in 7-Zip's SquashFS archive handler (versions 9.18 through 26.00) can crash the application and leak raw heap memory contents when a user opens a specially crafted archive. The flaw originates in the _blockToNode array, which is allocated but never zero-initialized; an attacker-controlled blockIndex derived from the RootInode superblock field drives a binary search over uninitialized slots, producing a chained out-of-bounds read with no write primitive. No public exploit has been identified at time of analysis, and the description explicitly characterizes exploitation as heap-layout-dependent and not reliably triggerable, which is consistent with the CVSS AC:H rating and limits practical risk despite the network-deliverable attack surface.
Technical ContextAI
The affected component is 7-Zip's SquashFS archive handler, identified via CPE cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:* as the mcmilk community-maintained fork. The root cause is CWE-908 (Use of Uninitialized Resource): _blockToNode is allocated with capacity for every metadata block in the SquashFS image but is populated only when an inode crosses a block boundary. Because the underlying C++ allocator does not zero-initialize plain-old-data (POD) storage, a crafted image with few inodes spanning many blocks leaves most array slots holding raw heap residue from prior allocations. The OpenDir function reads two of these uninitialized slots as the left and right bounds for a binary search over _nodesPos, then dereferences the computed midpoint without bounds validation. If the dereferenced value matches the search key, the returned index is used to read a full node struct from _nodes, whose fields feed further directory parsing - forming a chained OOB read primitive. The SquashFS handler is enabled by default in stock 7z.dll, and the vulnerability triggers during Open() without any interaction beyond the act of opening the archive.
RemediationAI
Upgrade 7-Zip to version 26.01, which resolves this vulnerability per the CVE description and the GitHub Security Lab advisory (GHSL-2026-115, GHSL-2026-122) at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/. If an immediate upgrade is not feasible, restrict the ability to open untrusted SquashFS archives via 7-Zip by blocking SquashFS file extensions (.sqfs, .sfs) at email gateways, web proxies, or endpoint DLP controls - this eliminates the delivery vector at the cost of blocking legitimate SquashFS file handling. Because the SquashFS handler is compiled into 7z.dll and enabled by default, there is no documented runtime configuration switch to disable it selectively; removal or replacement of the DLL would mitigate the issue but would disable all 7z.dll-dependent functionality. No other vendor-documented workarounds are available in the referenced advisory.
Same weakness CWE-908 – Use of Uninitialized Resource
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34853