PatchSiren cyber security CVE debrief
CVE-2026-48092 mcmilk CVE debrief
CVE-2026-48092 is a heap memory disclosure vulnerability in 7-Zip, a file archiver with a high compression ratio. Versions 9.34 through 26.00 are affected on 32-bit builds due to an integer overflow in the SquashFS ReadBlock function. This allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits. Version 26.01 patches the issue.
- Vendor
- mcmilk
- Product
- 7-Zip
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of 7-Zip on 32-bit systems, particularly those handling untrusted archive files, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability is caused by a 32-bit integer overflow in the SquashFS ReadBlock function, which allows an attacker to bypass the fragment bounds check. This can lead to the disclosure of heap memory. The issue is only exploitable on 32-bit builds of 7-Zip.
Defensive priority
MEDIUM
Recommended defensive actions
- Update to version 26.01 or later
- Use 64-bit builds of 7-Zip for added security
Evidence notes
The CVE-2026-48092 vulnerability was published on [cve-org] and details can be found on [nvd]. Additional information and mitigation steps are available at [ref-4].
Official resources
-
CVE-2026-48092 CVE record
CVE.org
-
CVE-2026-48092 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
CVE-2026-48092 was published on 2026-06-05T15:16:53.380Z and modified on 2026-06-08T18:16:33.553Z.