Skip to main content

7-Zip EUVDEUVD-2026-34854

| CVE-2026-48111 MEDIUM
Out-of-bounds Read (CWE-125)
2026-06-05 GitHub_M
4.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
SUSE
3.3 LOW
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

2
Patch available
Jun 05, 2026 - 18:01 EUVD
Analysis Generated
Jun 05, 2026 - 17:23 vuln.today

DescriptionGitHub Advisory

7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.

AnalysisAI

Off-by-one out-of-bounds read in 7-Zip's UEFI firmware image parser (versions 9.21-26.00) allows a network-adjacent attacker to trigger either a denial of service (application crash) or minor information disclosure of an adjacent static .rdata string literal into archive metadata, simply by convincing a user to open a crafted UEFI-containing archive. The vulnerability is reached automatically upon archive open with no special user action beyond opening the file, and affects default 7-Zip installations because the UEFI handler is enabled out-of-the-box. No public exploit code has been identified at time of analysis, no KEV listing exists, and the impact is bounded: there is no write primitive and no disclosure of heap data, secrets, or ASLR base addresses.

Technical ContextAI

The flaw resides in the ParseDepedencyExpression function within CPP/7zip/Archive/UefiHandler.cpp, which handles UEFI firmware dependency expressions during archive parsing. The function validates an attacker-controlled opcode byte against the 10-element kExpressionCommands static array using a strict greater-than operator (>) rather than greater-than-or-equal-to (>=), creating an off-by-one condition where opcode value 10 passes the bounds check and causes a read 8 bytes past the end of the array on x64 platforms - reading into adjacent .rodata memory. That out-of-bounds pointer is then dereferenced as a const char* and passed through strlen and memcpy into the archive's Characts property. The root cause is CWE-125 (Out-of-Bounds Read). The code path is automatically activated via IInArchive::Open() through OpenFv/OpenCapsule → ParseVolume → ParseSections when a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section is encountered with a first body byte of 0x0A. Per CPE cpe:2.3:a:mcmilk:7-zip, this affects the mcmilk-attributed 7-Zip distribution across all platforms where the UEFI handler is compiled in, which is the default for stock 7z.dll.

RemediationAI

Vendor-released patch: version 26.01. Upgrade to 7-Zip 26.01 or later, which corrects the off-by-one bounds check in ParseDepedencyExpression by replacing > with >= in the opcode validation against kExpressionCommands. Refer to the GitHub Security Lab advisory at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/ for full disclosure details. If immediate upgrade is not feasible in automated processing environments (e.g., archive scanning pipelines), consider filtering or rejecting UEFI firmware image inputs (files matching UEFIc/UEFIf signatures) upstream before they reach 7-Zip - this eliminates the vulnerable code path at the cost of losing UEFI archive support. There is no known configuration flag to disable the UEFI handler at runtime without recompiling. For interactive desktop deployments where users must open untrusted archives, the UI:R requirement provides a natural gate; user training to avoid opening unexpected UEFI-format archives reduces exposure until patching is complete.

Vendor StatusVendor

SUSE

Severity: Low
Product Status
SUSE Linux Enterprise Desktop 15 SP7 Affected
SUSE Linux Enterprise High Performance Computing 15 SP7 Affected
SUSE Linux Enterprise Module for Basesystem 15 SP7 Affected
SUSE Linux Enterprise Server 15 SP7 Affected
SUSE Linux Enterprise Server 16.0 Affected

Share

EUVD-2026-34854 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy