A critical security vulnerability has been discovered in 7-Zip that could allow attackers to execute malicious code on a victim’s system simply by opening a specially crafted archive file.
The vulnerability is tracked as CVE-2026-48095 and affects all versions of 7-Zip up to version 26.00. Security researchers say the flaw exists in the software’s NTFS archive handling system.
According to the technical advisory, the bug is caused by a heap buffer overflow issue that can lead to arbitrary code execution through a vtable hijack attack. The vulnerability has been given a high CVSS severity score of 8.8.
What makes the flaw especially dangerous is that attackers can disguise the malicious file using almost any file extension. Researchers say the vulnerable NTFS handler relies on signature-based detection, meaning a malicious file could appear as a .zip, .7z, .rar, or even a file without an extension.
Once the victim opens the crafted file, the exploit can trigger automatically without requiring any additional interaction.
The vulnerability affects both 32-bit and 64-bit versions of 7-Zip. On systems with enough available memory, attackers may be able to achieve full remote code execution. On lower-memory systems, the flaw may still cause crashes or denial-of-service issues.
The issue was discovered by security researcher Jaroslav Lobačevski from GitHub Security Lab. The researcher reportedly used UBSan debugging tools to identify the undefined behavior and resulting memory corruption issue.
Users are strongly advised to update 7-Zip to version 26.01 immediately, which includes a fix for the vulnerability.
