A newly discovered vulnerability in 7-Zip, one of the most widely used file compression and extraction tools, could allow attackers to execute malicious code on affected systems
Tracked as CVE-2026-14266, the flaw affects the way 7-Zip processes XZ-compressed data streams. It has been classified as a memory corruption vulnerability and has been fixed in the latest 7-Zip 26.02 update.
The issue is caused by improper handling of XZ chunked data, which can trigger a heap-based buffer overflow. This happens when specially crafted data exceeds the memory space allocated for a buffer, potentially allowing attackers to manipulate the application and execute their own code.
If successfully exploited, attackers could run malicious code with the same privileges as the current user. This could allow them to install malware, steal data, or use the compromised system as part of a larger attack.
However, exploitation requires user interaction. Attackers cannot compromise a system without the victim taking an action. The attack can be triggered when a user opens a specially crafted archive file or visits a malicious webpage designed to deliver the affected XZ payload.
The vulnerability is particularly concerning because 7-Zip is used by millions of users worldwide, including businesses and IT administrators. Attackers often use compressed files in phishing campaigns because archive attachments can appear harmless and bypass basic security checks.
A malicious archive sent through email or other platforms could trick users into opening the file, allowing attackers to exploit the vulnerability and gain access to the system.
The vulnerability has been patched in 7-Zip version 26.02. Users are advised to update their installations immediately to reduce the risk of exploitation.
Security experts also recommend avoiding archive files from unknown sources, scanning email attachments before opening them, and being cautious with unexpected compressed files.
The vulnerability was discovered and reported by Landon Peng of Lunbun LLC through responsible disclosure, helping developers release a fix before widespread exploitation.
CVE-2026-14266 is another reminder that even trusted and widely used software can contain serious security vulnerabilities. Keeping applications updated and following safe file-handling practices remains important to protect against malware and other cyber threats.






