Critical Security Defect Exploits NTFS Processing Architecture Within 7-Zip

Researchers have unearthed a critical security vulnerability within the ubiquitous 7-Zip data compression utility. Opening a meticulously engineered disk image triggers arbitrary remote code execution rather than a standard decompression failure. Crucially, this memory corruption anomaly resides within the internal parser for NTFS archives. The risk is further compounded because the file extension remains entirely irrelevant to the processing engine. Consequently, a weaponized payload can easily masquerade as an innocuous archive format. Alternatively, the file can completely lack a traditional filename suffix.

Chronological Tracking and Affected Architecture Versions

This flaw has been formally cataloged as CVE-2026-48095. Notably, it commands a severe rating of 8.8 under the CVSS 3.1 framework. The research collective at GitHub Security Lab formally disclosed the vulnerability to developers on April 24, 2026. Remarkably, the maintainer distributed a definitive remedy in version 26.01 on April 27. While engineers explicitly verified the defect in version 26.00, the underlying miscalculation has existed for years. Specifically, it entered the codebase during the initial introduction of NTFS compressed stream interpolation. Therefore, all ancestral software iterations leading up to version 26.00 remain profoundly exposed.

Technical Deconstruction of the Out-of-Bounds Memory Corruption

The architectural failure stems from the internal handler designed to parse NTFS metadata. When processing a maliciously malformed storage image, the engine accepts an excessively large cluster topology. It simultaneously ingests an invalid CompressionUnit scalar value. Subsequently, the allocation engine miscalculates the required input buffer size for the compressed telemetry payload. This state triggers an undefined behavior sequence during a bitwise shift operation on a 32-bit integer boundary. As a direct consequence, 7-Zip allocates a ridiculous, one-byte memory container. The utility then immediately attempts to write up to 256 megabytes of attacker-controlled data streams into that tiny space.

Subverting the Execution Flow Via Heap Corruption

Security analysts note that this severe heap-based out-of-bounds write directly corrupts the underlying stream object structure. This compromise enables an adversary to hijack the virtual method table pointer. In a live production environment, this precise interception sequence paves a seamless path toward arbitrary code execution. Alternatively, it can immediately force a cataclysmic application crash. To execute this exploit successfully, a target user merely needs to open, validate, or initiate file extraction from the weaponized NTFS volume.

Architectural Variances and Multi-Platform Impact Analysis

This operational hazard manifests across both 32-bit and 64-bit architectural compilations. On 32-bit operating environments, memory exhaustion occurs almost invariably due to the naturally constrained memory footprint. Conversely, on 64-bit frameworks, successful exploitation relies upon the platform’s capacity to allocate an expansive secondary output buffer. This scenario is entirely realistic on modern devices commanding 16 gigabytes of random-access memory or more. Should the local system lack sufficient volatile memory, the failure state gracefully degrades into a standard denial-of-service condition.

Fallback Signature Validation Risks

An independent risk vector arises from 7-Zip’s native format determination heuristics. The core NTFS parser is explicitly bound to the .ntfs and .img file extensions. However, the software concurrently employs automated cryptographic magic-number and signature validations. If the primary extension-based filter rejects an incoming asset, the utility systematically falls back to inspect alternative layouts. It will autonomously identify the NTFS schema by parsing the signature header at the genesis of the image binary. Consequently, a malicious payload will effortlessly transition into the compromised handler, even when disguised under .7z, .zip, or .rar nomenclatures.

Remediation Imperatives and Protective Action Playbooks

Security researcher Yaroslav Lobachevsky successfully isolated this structural anomaly. Notably, he operates under the digital pseudonym @JarLob within the GitHub Security Lab. To safeguard organizational perimeters, all 7-Zip practitioners must migrate their infrastructure to version 26.01 or later builds. Furthermore, enterprise administrators should strictly prohibit the ingestion of un-vetted disk storage images. Peers must completely avoid archive components originating from unauthenticated digital sources.