CVE-2026-48095: 7-Zip NTFS Handler Heap Overflow
A heap overflow in 7-Zip’s NTFS handler allows for RCE via crafted files. The vulnerability involves signature-based file routing that operates independently o…
On May 22, 2026, GitHub Security Lab published advisory GHSL-2026-140, detailing a heap buffer overflow vulnerability in the 7-Zip NTFS handler. Tracked as CVE-2026-48095 with a CVSS 3.1 score of 8.8, the flaw stems from an architectural detail: the 7-Zip NTFS parser routes files via signature-based fallback. A .pdf document, a .zip archive, or a file with no extension triggers the same handler. The fix, version 26.01, has been available since April 27, 2026.
- The bug resides in the CInStream::GetCuSize() function within NtfsHandler.cpp. A 32-bit shift with an exponent of 32 generates undefined behavior; on x86 architectures, this results in the allocation of a 1-byte buffer instead of the intended space for 256 MB of data.
- The exploit achieves arbitrary code execution via vtable hijacking on 64-bit systems with at least 16 GB of RAM. On hardware with limited memory, the impact is limited to a denial of service or application crash.
- The attack is extension-agnostic. 7-Zip routes any file containing the "NTFS " magic bytes to the vulnerable handler.
- Researcher Jaroslav Lobačevski has released the gen_ntfs_sparse.py PoC. The 26.01 fix was released three days after the private report on April 24, 2026.
The Mechanism: From a Faulty Shift to Full Compromise
The core of the flaw is a C++ buffer size calculation containing the expression (UInt32)1 << (BlockSizeLog + CompressionUnit). When the sum of the exponents reaches 32, the 32-position shift of a 32-bit integer generates undefined behavior. On x86 architecture, hardware masking of the shift counter resets it to zero, producing a value of 1. Consequently, the _inBuf buffer is allocated at 1 byte rather than the required size.
The program immediately proceeds with a ReadStream_FALSE call that writes up to 256 MB of data into that single byte. As documented by PBXScience, the first 64 KB read cycle is sufficient to overwrite the CInStream object's vtable pointer, located 304 bytes away on the heap. From this point, the program invokes methods through a corrupted vtable, granting control over the execution flow.
Why Extensions No Longer Protect Users
7-Zip’s routing logic does not rely on extensions to select a parser. When a file contains the "NTFS " magic bytes in the appropriate position, the NTFS handler activates regardless of the filename or extension. An email attachment named invoice.pdf, resume.docx, or one with no extension interacts with the same attack surface as a legitimate .ntfs file.
The SocPrime advisory notes that "the malformed file does not need a dedicated NTFS extension to reach the vulnerable handler."
"With only a 1-byte buffer allocated, the program immediately invokes a ReadStream_FALSE call that writes up to 256 MB of attacker-controlled data into that single byte — a severe heap overflow." — PBXScience, advisory GHSL-2026-140
Exploit Conditions: RCE vs. DoS
The feasibility of a full exploit depends on the target machine's resources. On 64-bit systems with at least 16 GB of RAM, the vtable hijacking chain leads to arbitrary code execution. On devices with limited memory, aggressive allocation or failed read operations result in crashes or denial-of-service conditions without achieving execution flow control.
This bifurcation has concrete operational consequences for enterprise environments. Malware analysis workstations, typically configured with high-performance hardware and abundant memory, represent the platforms most exposed to full compromise. Legacy systems or endpoint devices with low RAM suffer availability impacts but do not expose the same surface for exfiltration or persistence.
Timeline and Patch Availability
The private report to maintainer Igor Pavlov occurred on April 24, 2026. The release of version 26.01, documented on the official 7-zip.org site and dated April 27, 2026, followed three days later. The public advisory from GitHub Security Lab was published on May 22, 2026. The gen_ntfs_sparse.py PoC, a Python script for generating crafted NTFS images, accompanies the disclosure.
Converging sources identify Jaroslav Lobačevski, a researcher at GitHub Security Lab, as the discoverer. The Twitter profile @JarLob is cited in primary sources. The CVSS 3.1 score of 8.8, with the vector AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, classifies the vulnerability as High: network access, low complexity, no privileges required, user interaction necessary (opening a file), and high impact on the CIA triad for a single system.
Required Actions
The priority action is upgrading to version 26.01 for all 7-Zip installations, including those integrated into automated pipelines or malware analysis tools. The patch has been available since April 27, 2026, and corrects the buffer size calculation in NtfsHandler.cpp.
Security teams should evaluate the removal or rigorous sandboxing of 7-Zip version 26.00 and earlier from automated suspicious file analysis tools, given the combination of a public PoC and low activation complexity.
SOC analysts should flag anomalous 7-Zip crashes on high-RAM workstations as potential exploit indicators rather than simple application instability. Automated systems processing external archives, including those in the supply chain, require version verification and environment isolation during extraction.
End-users must update 7-Zip through official channels and treat any file received via email or download with equal caution, regardless of the visible extension.