Skip to main content

7-Zip EUVDEUVD-2026-34852

| CVE-2026-48103 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-05 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
SUSE
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Patch available
Jun 05, 2026 - 18:01 EUVD
Analysis Generated
Jun 05, 2026 - 17:19 vuln.today
CVE Published
Jun 05, 2026 - 15:48 nvd
MEDIUM 4.3

DescriptionGitHub Advisory

7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.

AnalysisAI

Off-by-one heap out-of-bounds read in 7-Zip's WIM archive handler (versions 9.34-26.00) allows a remote unauthenticated attacker to trigger denial of service - and potentially minor information disclosure - by delivering a crafted WIM file. The vulnerability is zero-click exploitable in the GUI: 7zFM.exe automatically calls GetRawProp(kpidNtSecure) for every listed item, triggering the OOB read without any additional user interaction beyond opening or navigating to the malicious archive. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Technical ContextAI

The vulnerable code resides in CHandler::GetSecurity within CPP/7zip/Archive/Wim/WimHandler.cpp, which handles the Windows Imaging (WIM) archive format. The WIM handler maintains a per-image SecurOffsets table of numEntries + 1 cumulative offsets. The off-by-one arises because the bounds check securityId >= SecurOffsets.Size() permits securityId to equal numEntries, after which the code dereferences SecurOffsets[securityId + 1] - reading one UInt32 past the end of the heap-allocated CRecordVector, which performs no internal bounds checking on operator[]. The root cause is CWE-125 (Out-of-bounds Read). Critically, the securityId value is attacker-controlled: it resides at offset +0xC within any WIM directory entry embedded in WIM metadata. The handler is registered by default for .wim, .swm, .esd, and .ppkg extensions and is active in stock 7z.dll. The CPE string (cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:*) attributes the flaw to the mcmilk-maintained 7-Zip fork on GitHub, though the description also implicates binaries (7zFM.exe, 7zz) associated with official 7-Zip releases - this overlap should be verified with the vendor. The vulnerability has been confirmed via ASan (AddressSanitizer), establishing a reliable crash signal.

RemediationAI

No vendor-released patch with a confirmed fixed version number is available in the provided data. Upstream GitHub Security Lab advisories GHSL-2026-115 and GHSL-2026-122 document the flaw at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/ - monitor this advisory and the mcmilk 7-Zip GitHub repository for a patched release. Until a fix is available, the most targeted compensating control is to avoid opening untrusted WIM, SWM, ESD, or PPKG files with 7-Zip directly; these extensions can be disassociated from 7-Zip's file handler registration to prevent accidental GUI triggering. For pipeline or server-side environments that automatically process archives, filter or reject WIM-format inputs at ingestion boundaries as a temporary measure - note this blocks legitimate WIM processing as a side effect. The vulnerability is not exploitable for code execution under current analysis, so urgency of patching is lower than for memory-write primitives; however, updating to the patched release once available remains the definitive remediation.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

EUVD-2026-34852 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy