Skip to main content

7-Zip EUVDEUVD-2026-34850

| CVE-2026-48102 LOW
Out-of-bounds Read (CWE-125)
2026-06-05 GitHub_M
3.1
CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY
3.1 LOW
AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 17:01 EUVD
Analysis Generated
Jun 05, 2026 - 16:16 vuln.today

DescriptionGitHub Advisory

7-Zip is a file archiver with a high compression ratio. Versions 9.11 through 26.00 contain a heap out-of-bounds read of up to 3 bytes in the UDF disc image handler's File Identifier Descriptor parser. In CFileId::Parse (CPP/7zip/Archive/Udf/UdfIn.cpp), after validating size < 38 + idLen + impLen and advancing processed to 38 + impLen + idLen, the alignment-padding loop reads p[processed] while incrementing up to 3 times to reach a 4-byte boundary, and the processed <= size bounds check only runs after the loop. When (38 + impLen + idLen) % 4 != 0 and 38 + impLen + idLen == size, the loop reads 1 to 3 bytes past the end of the exact-size heap buffer allocated via buf.Alloc((size_t)item.Size). The UDF handler is registered for .iso and .udf files and auto-detected by signature, and the OOB read triggers during Open() when listing or extracting a crafted UDF image. Impact is limited to information disclosure (a 1-bit oracle per OOB byte via open/fail behavior) and denial of service (crash under hardened allocators); there is no write primitive. Version 26.01 fixes the issue.

AnalysisAI

Heap out-of-bounds read in 7-Zip versions 9.11 through 26.00 exposes up to 3 bytes of heap memory during UDF disc image parsing, triggering when a user opens or extracts a crafted .iso or .udf file. Impact is constrained to a 1-bit information-disclosure oracle per out-of-bounds byte (inferred from open/fail behavior) and potential denial of service under hardened allocators; no write primitive exists. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS Low score of 3.1 accurately reflects the limited real-world severity.

Technical ContextAI

The vulnerability resides in CFileId::Parse within CPP/7zip/Archive/Udf/UdfIn.cpp, the File Identifier Descriptor parser for the UDF (Universal Disk Format) disc image handler. After validating that the field size is less than 38 + idLen + impLen and advancing the processed pointer to 38 + impLen + idLen, an alignment-padding loop increments processed up to three times to reach a 4-byte boundary, reading p[processed] on each iteration. The bounds check (processed <= size) executes only after the loop completes rather than inside it. When the sum (38 + impLen + idLen) equals size exactly and is not divisible by 4, the loop reads 1 to 3 bytes past the end of the heap buffer allocated via buf.Alloc((size_t)item.Size). CWE-125 (Out-of-bounds Read) is the root cause: a post-loop bounds check creates a window where the guard condition is evaluated too late. The UDF handler is auto-registered for .iso and .udf file extensions and also triggers via signature-based detection, meaning the vulnerable code path activates automatically during Open() when listing or extracting archives.

RemediationAI

Upgrade to 7-Zip version 26.01, which fixes the off-by-one bounds check placement in CFileId::Parse so that the processed <= size guard runs inside the alignment-padding loop rather than after it. The advisory and further context are available at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/. If immediate upgrade is not possible, a targeted compensating control is to block or quarantine all .iso and .udf files at the organizational perimeter or endpoint before they reach 7-Zip, preventing the auto-detected UDF handler from triggering; note this has an operational cost if UDF images are legitimately used. Disabling UDF association in 7-Zip file type settings (if exposed by the build) would also prevent automatic handler invocation, though this does not protect against explicit extraction commands. Given the Low CVSS severity and High attack complexity, organizations without hardened allocators and without a workflow involving untrusted UDF/ISO files face negligible practical risk from delaying the upgrade.

Share

EUVD-2026-34850 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy