Skip to main content

7-Zip EUVDEUVD-2026-34837

| CVE-2026-48092 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-05 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
SUSE
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 16:01 EUVD
Analysis Generated
Jun 05, 2026 - 15:04 vuln.today

DescriptionGitHub Advisory

7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.

AnalysisAI

Heap memory disclosure in 7-Zip 9.34 through 26.00 (32-bit builds only) allows a remote unauthenticated attacker to leak arbitrary heap contents into attacker-controlled extracted files by supplying a crafted SquashFS archive. The root cause is a 32-bit integer overflow in the SquashFS ReadBlock function: because size_t is 32 bits on 32-bit builds, the addition of offsetInBlock and blockSize wraps modulo 2³², bypassing the fragment bounds check and directing memcpy to read heap memory preceding the intended cache buffer. No public exploit has been identified at time of analysis, and no CISA KEV listing exists. Version 26.01 patches the issue.

Technical ContextAI

7-Zip's SquashFS parser contains a ReadBlock function responsible for reading compressed fragment data from an archive. The vulnerability (CWE-125: Out-of-bounds Read) arises because the bounds check on node.Offset is defeated by a 32-bit integer overflow: on 32-bit builds where size_t is a 32-bit type, the expression offsetInBlock + blockSize can wrap around modulo 2³², producing a result that passes the bounds check while the actual memcpy source pointer points to heap memory before the legitimate cache buffer. On 64-bit builds, the operands are promoted to 64-bit arithmetic, so the overflow cannot occur and the check correctly rejects malicious input. The affected CPE is cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:*, encompassing the mcmilk fork of 7-Zip, which is the actively maintained upstream. The vulnerability was discovered and reported by GitHub Security Lab (GHSL-2026-115/GHSL-2026-122).

RemediationAI

The primary fix is to upgrade to 7-Zip version 26.01, which patches the integer overflow in the SquashFS ReadBlock function. The vendor-released patch is confirmed at version 26.01 per GitHub Security Lab advisory GHSL-2026-115/GHSL-2026-122 (https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/). Organizations unable to patch immediately should migrate to 64-bit builds of 7-Zip where possible, as the overflow cannot occur when size_t is 64 bits - this is an effective compensating control with no functional trade-off for most users. If SquashFS archive handling is not required in the deployment context, restricting processing of .squashfs or related archive types at the perimeter (e.g., mail gateway content filters, endpoint DLP rules) reduces exposure, though this does not eliminate the vulnerability if users can introduce archives through other channels. No other workarounds specific to this vulnerability were identified in the available data.

Vendor StatusVendor

SUSE

Severity: Moderate
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

EUVD-2026-34837 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy