Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.
AnalysisAI
Heap memory disclosure in 7-Zip 9.34 through 26.00 (32-bit builds only) allows a remote unauthenticated attacker to leak arbitrary heap contents into attacker-controlled extracted files by supplying a crafted SquashFS archive. The root cause is a 32-bit integer overflow in the SquashFS ReadBlock function: because size_t is 32 bits on 32-bit builds, the addition of offsetInBlock and blockSize wraps modulo 2³², bypassing the fragment bounds check and directing memcpy to read heap memory preceding the intended cache buffer. No public exploit has been identified at time of analysis, and no CISA KEV listing exists. Version 26.01 patches the issue.
Technical ContextAI
7-Zip's SquashFS parser contains a ReadBlock function responsible for reading compressed fragment data from an archive. The vulnerability (CWE-125: Out-of-bounds Read) arises because the bounds check on node.Offset is defeated by a 32-bit integer overflow: on 32-bit builds where size_t is a 32-bit type, the expression offsetInBlock + blockSize can wrap around modulo 2³², producing a result that passes the bounds check while the actual memcpy source pointer points to heap memory before the legitimate cache buffer. On 64-bit builds, the operands are promoted to 64-bit arithmetic, so the overflow cannot occur and the check correctly rejects malicious input. The affected CPE is cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:*, encompassing the mcmilk fork of 7-Zip, which is the actively maintained upstream. The vulnerability was discovered and reported by GitHub Security Lab (GHSL-2026-115/GHSL-2026-122).
RemediationAI
The primary fix is to upgrade to 7-Zip version 26.01, which patches the integer overflow in the SquashFS ReadBlock function. The vendor-released patch is confirmed at version 26.01 per GitHub Security Lab advisory GHSL-2026-115/GHSL-2026-122 (https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/). Organizations unable to patch immediately should migrate to 64-bit builds of 7-Zip where possible, as the overflow cannot occur when size_t is 64 bits - this is an effective compensating control with no functional trade-off for most users. If SquashFS archive handling is not required in the deployment context, restricting processing of .squashfs or related archive types at the perimeter (e.g., mail gateway content filters, endpoint DLP rules) reduces exposure, though this does not eliminate the vulnerability if users can introduce archives through other channels. No other workarounds specific to this vulnerability were identified in the available data.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Moderate| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34837