Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
Lifecycle Timeline
2DescriptionGitHub Advisory
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
AnalysisAI
Heap out-of-bounds read in 7-Zip's Unix ar archive parser (versions 9.18 through 26.00) allows a remote unauthenticated attacker to leak uninitialized heap memory contents by convincing a user to open a specially crafted archive. The ParseLibSymbols function mishandles the BSD-style __.SYMDEF symbol table by reading 4 bytes past the end of a heap allocation when the namesSize field position equals the buffer boundary, exposing heap data with high confidentiality impact. No public exploit has been identified at time of analysis, and no KEV listing exists; version 26.01 patches the issue.
Technical ContextAI
The vulnerability resides in 7-Zip's Ar (Unix archive) format handler, specifically in the ParseLibSymbols function responsible for parsing BSD-style __.SYMDEF symbol tables embedded in .ar archives. The function reads a 32-bit namesSize field using the Get32 helper at an offset that can legally equal the heap allocation's terminal boundary, causing a 4-byte overread into adjacent, uninitialized heap memory under the default allocator. The CWE-190 classification (Integer Overflow or Wraparound) indicates that an integer calculation governing the read position fails to enforce a strict less-than bound check before performing the Get32 read, conflating an at-boundary position with a valid within-bounds position. The affected CPE is cpe:2.3:a:mcmilk:7-zip:*:*:*:*:*:*:*:*, which corresponds to the mcmilk community-maintained fork of 7-Zip; analysts should verify whether the upstream Igor Pavlov distribution shares the identical parser code. The root cause is a boundary condition off-by-one in a 32-bit field extraction, not a memory corruption write - limiting impact to confidentiality.
RemediationAI
The vendor-released patch is 7-Zip version 26.01, which corrects the boundary condition in ParseLibSymbols to prevent the out-of-bounds Get32 read. Users should upgrade to 26.01 or later from their distribution source. The GitHub Security Lab advisory (https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/) provides additional disclosure context. For environments where immediate upgrade is not feasible, a compensating control is to block or disallow processing of .ar archive files at the gateway or endpoint level, or to restrict 7-Zip usage to trusted archive sources only - noting the trade-off that legitimate Unix ar archives (commonly used in Debian package files and static libraries) would be disrupted. No additional workarounds are described in the available data beyond upgrading to 26.01.
Same weakness CWE-190 – Integer Overflow or Wraparound
View allSame technique Integer Overflow
View allVendor StatusVendor
SUSE
Severity: Low| Product | Status |
|---|---|
| SUSE Linux Enterprise Desktop 15 SP7 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP7 | Affected |
| SUSE Linux Enterprise Module for Basesystem 15 SP7 | Affected |
| SUSE Linux Enterprise Server 15 SP7 | Affected |
| SUSE Linux Enterprise Server 16.0 | Affected |
| SUSE Linux Enterprise Server 16.1 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP7 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.0 | Affected |
| SUSE Linux Enterprise Server for SAP applications 16.1 | Affected |
| openSUSE Leap 16.0 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP4-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP5-LTSS | Affected |
| SUSE Linux Enterprise Server 15 SP6-LTSS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP6 | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS | Affected |
| SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP4 | Affected |
| SUSE Linux Enterprise Server for SAP Applications 15 SP5 | Affected |
| openSUSE Leap 15.6 | Affected |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34857