PatchSiren cyber security CVE debrief
CVE-2026-48095 mcmilk CVE debrief
CVE-2026-48095 is a high-severity heap buffer overflow vulnerability in 7-Zip, a popular file archiver. Versions 26.00 and prior are affected, allowing for code execution or application crashes. The vulnerability is caused by an under-allocation in the NTFS compressed stream buffer. To mitigate, upgrade to version 26.01 or later.
- Vendor
- mcmilk
- Product
- 7-Zip
- CVSS
- HIGH 8.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of 7-Zip versions 26.00 and prior should upgrade to version 26.01 or later to address this vulnerability.
Technical summary
The vulnerability is caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB) in CInStream::GetCuSize(). A crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 can drive the exponent to 32, resulting in undefined behavior and a 1-byte buffer allocation. ReadStream_FALSE can then write up to 256 MB of attacker-controlled data into that buffer, potentially allowing for code execution or application crashes.
Defensive priority
High
Recommended defensive actions
- Upgrade to 7-Zip version 26.01 or later.
- Avoid opening untrusted images with 7-Zip versions 26.00 and prior.
Evidence notes
CVE-2026-48095 has a CVSS score of 8.8 and is considered HIGH severity. The vulnerability is exploitable remotely and requires no user interaction.
Official resources
-
CVE-2026-48095 CVE record
CVE.org
-
CVE-2026-48095 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Third Party Advisory
-
Mitigation or vendor reference
[email protected] - Product, Release Notes
CVE-2026-48095 was published on 2026-06-05T15:16:53.520Z and modified on 2026-06-08T20:17:01.873Z.