7-Zip NTFS Handler Flaw Enables Code Execution via Crafted Archives

A critical heap buffer overflow vulnerability in 7-Zip's NTFS archive handler allows attackers to execute arbitrary code by tricking users into opening malicious archive files. The flaw, tracked as CVE-2026-48095, carries a CVSS 3.1 score of 8.8 and affects all versions through 26.00.

Jaroslav Lobačevski of the GitHub Security Lab discovered the vulnerability, which stems from undefined behavior in C++ when computing NTFS compression-unit buffer sizes.

How the Vulnerability Works

The flaw resides in the CInStream::GetCuSize() function within NtfsHandler.cpp. The vulnerable code computes buffer size using a 32-bit shift operation: (UInt32)1 << (BlockSizeLog + CompressionUnit).

When an attacker crafts an NTFS image with ClusterSizeLog >= 28 and a compressed data attribute carrying CompressionUnit == 4, the shift exponent reaches 32. This triggers undefined behavior in C++, which on x86 hardware causes _inBuf to be allocated as just one byte due to hardware masking of shift counts.

The undersized buffer is then passed to ReadStream_FALSE, which writes up to 256 MB of attacker-controlled data into that single byte. The massive overflow enables a classic vtable hijack, giving attackers arbitrary code execution.

Any File Extension Can Trigger the Bug

What makes this vulnerability particularly dangerous is how 7-Zip handles file detection. The NTFS handler uses signature-based fallback detection, meaning a malicious NTFS image can be disguised with any file extension—.7z, .zip, .rar, or even no extension at all.

When an extension-matched handler rejects the file, 7-Zip falls back to signature detection, which identifies the malicious NTFS image and routes it to the vulnerable handler. This behavior mirrors the WinRAR CVE-2025-6218 exploitation pattern we covered earlier this year, where APT groups leveraged similar archive parsing flaws to deliver malware.

Security teams should note that traditional file extension blocklists won't protect against this attack. An attacker could name the malicious payload quarterly_report.xlsx and 7-Zip would still process it through the vulnerable NTFS handler.

Exploitation Requirements

Successful exploitation requires:

1. Attacker crafts a malicious NTFS image with specific ClusterSizeLog and CompressionUnit values
2. Victim opens the file using 7-Zip (any version through 26.00)
3. No additional user interaction needed beyond opening the archive

The attack surface extends to any workflow where 7-Zip processes untrusted archives—email attachments, file uploads, automated backup systems, or development pipelines that extract dependencies.

Why This Matters

Archive utilities represent a persistent attack surface because they parse complex file formats from untrusted sources by design. This vulnerability is classified under CWE-787 (Out-of-Bounds Write) and CWE-190 (Integer Overflow or Wraparound), both common root causes in archive handler exploits.

The 7-Zip flaw follows a broader pattern of compression utility vulnerabilities. Earlier this year, we covered how Apache HTTP/2 CVE-2026-23918 demonstrated similar memory corruption issues in data handling code. Organizations that audit web server configurations but overlook desktop utilities may miss similar exposure.

Given 7-Zip's widespread use—it's a default tool in many IT departments and CI/CD pipelines—enterprises should treat this as a priority patch. The utility is commonly installed on developer workstations, build servers, and administrative endpoints where an RCE vulnerability has outsized impact.

Recommended Actions

1. Update immediately - Upgrade to 7-Zip v26.01, which patches the vulnerable GetCuSize() computation
2. Block at the perimeter - Configure email gateways to quarantine NTFS image files (.ntfs, .img) and archives containing them
3. Audit automated systems - Identify CI/CD pipelines, backup systems, and scripts that invoke 7-Zip on untrusted input
4. Monitor for exploitation - Watch for 7-Zip crashes or unusual memory usage patterns that could indicate exploitation attempts

For organizations managing cybersecurity tools and endpoint configurations, adding 7-Zip version monitoring to existing vulnerability management workflows is straightforward given the clear version boundary.

Technical Classification

Property	Value
CVE	CVE-2026-48095
Advisory	GHSL-2026-140
CVSS 3.1	8.8 (High)
CWE	CWE-787, CWE-190
Vector	AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Affected	7-Zip through v26.00
Fixed	7-Zip v26.01

Users running older 7-Zip versions should update regardless of whether they knowingly handle NTFS images. The signature-based fallback detection means any archive file could potentially trigger the vulnerable code path.