Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
AnalysisAI
Off-by-one out-of-bounds read in 7-Zip's UEFI firmware image parser (versions 9.21-26.00) allows a network-adjacent attacker to trigger either a denial of service (application crash) or minor information disclosure of an adjacent static .rdata string literal into archive metadata, simply by convincing a user to open a crafted UEFI-containing archive. The vulnerability is reached automatically upon archive open with no special user action beyond opening the file, and affects default 7-Zip installations because the UEFI handler is enabled out-of-the-box. No public exploit code has been identified at time of analysis, no KEV listing exists, and the impact is bounded: there is no write primitive and no disclosure of heap data, secrets, or ASLR base addresses.
Technical ContextAI
The flaw resides in the ParseDepedencyExpression function within CPP/7zip/Archive/UefiHandler.cpp, which handles UEFI firmware dependency expressions during archive parsing. The function validates an attacker-controlled opcode byte against the 10-element kExpressionCommands static array using a strict greater-than operator (>) rather than greater-than-or-equal-to (>=), creating an off-by-one condition where opcode value 10 passes the bounds check and causes a read 8 bytes past the end of the array on x64 platforms - reading into adjacent .rodata memory. That out-of-bounds pointer is then dereferenced as a const char* and passed through strlen and memcpy into the archive's Characts property. The root cause is CWE-125 (Out-of-Bounds Read). The code path is automatically activated via IInArchive::Open() through OpenFv/OpenCapsule → ParseVolume → ParseSections when a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section is encountered with a first body byte of 0x0A. Per CPE cpe:2.3:a:mcmilk:7-zip, this affects the mcmilk-attributed 7-Zip distribution across all platforms where the UEFI handler is compiled in, which is the default for stock 7z.dll.
RemediationAI
Vendor-released patch: version 26.01. Upgrade to 7-Zip 26.01 or later, which corrects the off-by-one bounds check in ParseDepedencyExpression by replacing > with >= in the opcode validation against kExpressionCommands. Refer to the GitHub Security Lab advisory at https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/ for full disclosure details. If immediate upgrade is not feasible in automated processing environments (e.g., archive scanning pipelines), consider filtering or rejecting UEFI firmware image inputs (files matching UEFIc/UEFIf signatures) upstream before they reach 7-Zip - this eliminates the vulnerable code path at the cost of losing UEFI archive support. There is no known configuration flag to disable the UEFI handler at runtime without recompiling. For interactive desktop deployments where users must open untrusted archives, the UI:R requirement provides a natural gate; user training to avoid opening unexpected UEFI-format archives reduces exposure until patching is complete.
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Denial Of Service
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34854