7-Zip Heap Overflow Lets Attackers Run Code (CVE-2026-48095): Versions Up to 26.00 Must Update to 26.01

blog/Articles/7-Zip Flaw Lets a Crafted File Take Over Your PC: CVE-2026-48095, Update to 26.01

News Updated today

Makoto Horikawa

Backend Engineer / AWS / Django

2026.06.069 min0 views

Share X Hatena LINE LinkedIn RSS

Key takeaways

A flaw in the free 7-Zip compressor lets a crafted file take over a PC just by being opened. Tracked as CVE-2026-48095 (CVSS 8.8), it affects version 26.00 and earlier and can trigger even from files disguised as .zip or .rar. 7-Zip has no auto-update and PoC code is public. Here are the affected versions, update steps, and what to do now.

A serious security flaw has been found in 7-Zip, the free compression and extraction tool used around the world, that can let an attacker take over a computer simply by getting the user to open a crafted file. It is tracked as CVE-2026-48095, with a CVSS v3.1 severity score of 8.8, the second-highest of four bands ("High").

The problem affects every version of 7-Zip up to and including 26.00. The developer fixed it in version 26.01, released on April 27, 2026, but 7-Zip has no automatic-update mechanism like a browser or a phone app. Many people install it once and leave it untouched for years, so the copy on your machine may still be old. Proof-of-concept (PoC) exploit code is already public, and outlets have been urging users to update to the latest version.

This article explains, in plain terms, what happens, why "it has a .zip extension so it must be safe" no longer holds, how hard the flaw is to exploit in practice, and what you should do on your own computer right now.

Which versions are affected, and how to update

Here is the bottom line first. If your 7-Zip is 26.00 or older, it is affected. Updating to 26.01 or later closes the hole. You can check your version by launching 7-Zip and opening "Help" → "About 7-Zip" from the menu.

Your version	Status	What to do now
26.01 or later	Fixed	No action needed
26.00 or older (25.x / 24.x / earlier)	Affected	Update to 26.01 or later
Unknown	Needs checking	Check via Help → About

Always download the latest installer from the official 7-Zip site (7-zip.org) and install it over the top. As a rule, avoid search-ad links and unfamiliar mirror sites. You do not need to uninstall the old version first; running the new installer overwrites it. Note also that p7zip, used on Linux and macOS, and other software that bundles 7-Zip's code internally may carry the same flaw. Check the update notices from those distributors as well.

What happens: opening a crafted file can hand over your PC

The flaw lives in the code that 7-Zip uses to read a type of file called an NTFS image. NTFS is the disk format Windows uses, and an NTFS image packs the contents of such a disk into a single file. 7-Zip has a dedicated reader (the NTFS handler) so it can unpack these disk images too.

The trouble is that when an attacker feeds 7-Zip an NTFS image with tampered values, the program miscalculates how much memory to set aside. Where it should reserve a sufficiently large space (a buffer), the broken math reserves just a single byte. Up to 256 MB of attacker-supplied data is then written in, overflowing far past that one-byte slot and corrupting other parts of memory. This is a classic "heap buffer overflow," a common foothold for takeover.

CVE-2026-48095: a heap buffer overflow in NTFS image handling

The flaw is tracked as CVE-2026-48095. Technically it is a combination of an "integer overflow" (CWE-190) and an "out-of-bounds write" (CWE-787). It was found by Jaroslav Lobačevski of GitHub Security Lab.

According to the technical write-up, setting a specific parameter inside the NTFS image (the cluster-size value) to an abnormal size makes the multiplication used for memory allocation break down, collapsing the allocated size to one byte. As reading continues, important data in adjacent memory (a marker that tells the program which routine to call next) is overwritten, ultimately letting the attacker run code of their choosing, as security firms have analyzed. The hijacked code runs with the privileges of whoever is running that 7-Zip. In other words, if you open a file with your normal account, the attacker's code runs with your normal account too.

Who wants this bug, and what do they walk off with

What makes this flaw genuinely dangerous is that getting you to open a single file — with no password and no login required — is enough to start the attacker's program running inside that computer. The people who go after this are the senders of targeted emails that arrive disguised as files from a client or a job applicant, distributors who push pirated copies of popular software and videos, and fraud groups that send "quotes" or "outsourced materials". What they are after is whatever sits on that machine: work documents and customer lists, the IDs and passwords for various services, credentials saved in the browser, and crypto-wallet keys — the things that translate directly into cash or the next break-in. The moment a crafted archive is opened, the program that harvests all of this launches under your own account.

Once that program is running, the damage does not stop at one machine. With the stolen IDs and passwords, attackers move into shared servers and other endpoints, and ultimately use the foothold as an entry point to spread ransomware (malware that holds data hostage for money) across the whole organization. The lifted customer lists and credentials get resold on underground markets, and whoever buys them uses them for impersonation and the next round of phishing, pushing the damage further sideways. Because compressed files fly back and forth in everyday work, recipients tend to let their guard down — which is exactly what makes them an attractive entry point.

And the cleanup lands not on the individual who opened the file but, in most cases, on the company they belong to. If customer data leaks, there are breach notifications to the people affected and reports to regulators, plus apologies to business partners, damages, and the work of getting halted operations back on their feet. The CVSS "8.8" only describes the technical severity; what actually weighs on you are these real-world costs. That is why whether you can keep one free, casually installed tool up to date can decide whether you protect your company and its partners.

Why "it's a .zip, so it's fine" does not hold

A key thing to watch with this flaw is that the file used in the attack does not need an NTFS-image extension. It is tempting to think "I never open disk images, so this doesn't apply to me," but that does not protect you.

7-Zip judges a file's format not only by its extension but by the signature of its contents, and if it cannot open the file one way, it falls back to another reader. As a result, an attacker can disguise a file whose contents are a malicious NTFS image with an ordinary extension like ".7z," ".zip," or ".rar," and when the user opens it as usual, it ends up flowing into the flawed NTFS reader and triggers. In fact, security researchers abroad have warned that "a merely renamed file can trigger it" as well.

In short, the assumption that "the extension is .zip, so it must be an ordinary archive" no longer works. An unfamiliar archive attached to an email, a compressed file handed around on a forum or social media, or a download dressed up as a pirated copy is all it takes — extract it with an old 7-Zip and the conditions are met. The flip side is that not casually opening archives from untrusted sources is, alongside updating, an effective defense.

From discovery to disclosure

This flaw went from a private report to a fix and then to public exploit code. The fix is already out, but code that reproduces the attack is now in circulation. Here is the timeline.

← Swipe to move

How hard is it to exploit, and how dangerous is it right now

There is no need to panic, but it is also dangerous to shrug off. For the flaw to be triggered, the user has to actually open (extract or test) a crafted file in 7-Zip. The CVSS breakdown notes "user interaction required (UI:R)," so this is not the kind that hijacks you while you do nothing. By contrast, it lacks the immediacy of an unauthenticated remote attack on factory software that lands a one-shot over the network; the attacker first needs a little effort to get you to "open it."

What you cannot dismiss, though, is that once you do open it, arbitrary code can run with no password or login, and that proof-of-concept (PoC) code is already public. 7-Zip is used widely, from individuals to enterprises, and exchanging archives over email and file sharing is routine. The raw materials for an attack are in place and users' guard is easy to slip — an attractive combination for attackers. Flaws in compress-and-extract handling keep turning up, as with the buffer overflow in IBM Aspera; the "open / extract a file" entry point is a recurring weak spot.

For the record, this flaw is not listed in the CISA KEV catalog of "vulnerabilities known to be exploited" as of June 6, 2026. It has not reached the stage of confirmed widespread abuse. But with PoC code in circulation, the bar for attackers to weaponize it has dropped. Closing it "before attacks spread" is the lowest-cost response.

Why "install once and forget" is the real danger

What makes 7-Zip awkward is not the quality of the software but the way it gets updated. Browsers and phone apps quietly swap themselves out for the latest version in the background, but 7-Zip has no auto-update. Unless users visit the official site themselves, download the latest version, and reinstall it, a build from years ago keeps running. It is the classic "install it once and forget it exists" tool, which is exactly why so many old versions linger.

On top of that, 7-Zip is free and lightweight, a staple extractor used widely by individuals and businesses alike. It is not unusual for it to run in places no one looks — on servers and NAS boxes, shared office machines, and automated batch jobs. Outlets urged users to update precisely because, with such a large user base, a great many old copies are presumed to be sitting untouched.

This pattern — "close at hand and widely used, yet last in line for updates" — is the same weakness seen in home network gear and smart-home devices. As with TP-Link's smart-home line and various routers, the most effective defense is to be aware that "even the staple tools I use need updates" and to make a habit of reviewing versions a few times a year.

What to do right now

What you need to do is basically a single update of 7-Zip. The steps are as follows.

Launch 7-Zip and check your current version via "Help" → "About 7-Zip" in the menu
If it is 26.00 or older, get the 26.01-or-later installer from the official download page and install it over the top
Always download from the official site (7-zip.org); avoid search ads, unfamiliar mirrors, and bundle/aggregator sites
If you use p7zip on Linux/macOS or software that bundles 7-Zip's code, check those distributors' update notices too
Do not overlook 7-Zip running in out-of-sight places — servers, NAS boxes, and shared office machines

If you cannot update right away, the interim stopgap is to strictly not open archives from untrusted senders with an old 7-Zip. Because this attack hinges on "opening a crafted file," simply not extracting unexpected attachments or pirated/suspicious downloads cuts the risk substantially. As noted above, do not let your guard down just because the extension is .zip or .rar.

If you manage PCs at a company, the surest move is to inventory the deployed 7-Zip versions and roll out the update to 26.01 or later in one go. Outlets have published concrete steps for checking and updating, which you can also use to brief your organization.

FAQ

Q. How do I check whether my 7-Zip is affected?

Launch 7-Zip and open "Help" → "About 7-Zip" from the menu. If the version shown is 26.00 or older, you are affected. If it is 26.01 or later, it is fixed and no action is needed. This screen also tells you the version if you were unsure.

Q. Is it dangerous just to open an archive I made myself or one from a trusted sender?

No. This flaw only triggers when you open a file an attacker crafted specifically to exploit it. It does not happen with the legitimate archives you exchange day to day. However, attackers can disguise the extension as .zip or .rar, so you cannot judge "it's safe because the extension looks normal." It is safest not to open files from untrusted senders with an old version.

Q. Is it already being used in attacks?

As of June 6, 2026, it is not listed in the U.S. CISA KEV catalog, and there is no confirmed report of real-world exploitation. That said, proof-of-concept (PoC) code reproducing the attack was published on May 22, 2026, and is available to anyone. It is worth updating before widespread abuse begins.

Q. Do Windows Explorer, WinRAR, or other extractors have the same problem?

This flaw is specific to 7-Zip and does not directly apply to Windows' built-in features or other vendors' extraction tools. However, software that bundles 7-Zip's code internally (such as p7zip on Linux/macOS) may carry the same issue. If you use those, check their distributors' update information.

Conclusion

CVE-2026-48095 is a serious flaw in 7-Zip 26.00 and earlier, the staple compression and extraction tool. When an attacker-crafted file is opened, a memory miscalculation causes a heap buffer overflow that can ultimately run arbitrary code on that computer. The fact that it can trigger via a file disguised with a .zip or .rar extension — not just an NTFS-image extension — is what makes the damage easy to spread.

The fixed version, 26.01, is already out. Because 7-Zip has no auto-update, users must check their version themselves and update to the latest from the official site. As of June 6, 2026, no widespread abuse has been confirmed, but the proof-of-concept code is public. The longer you have left an old version installed, the more worthwhile it is to open "Help → About 7-Zip" now and check.