PatchSiren cyber security CVE debrief
CVE-2026-48101 mcmilk CVE debrief
CVE-2026-48101 is a MEDIUM severity vulnerability in 7-Zip, a file archiver with a high compression ratio. Versions 9.21 through 26.00 are affected by an uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.
- Vendor
- mcmilk
- Product
- 7-Zip
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-11
Who should care
Users of 7-Zip versions 9.21 through 26.00 should update to version 26.0.1 or later to mitigate this vulnerability.
Technical summary
The vulnerability exists in the UEFI capsule (.scap) parser of 7-Zip. The OpenCapsule function allocates a heap buffer without zero-initialization, leading to potential exposure of uninitialized memory if the file is truncated.
Defensive priority
MEDIUM
Recommended defensive actions
- Update 7-Zip to version 26.0.1 or later.
Evidence notes
CVE-2026-48101 has a CVSS score of 6.5 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-05T16:16:41.423Z and modified on 2026-06-11T18:02:03.633Z.
Official resources
-
CVE-2026-48101 CVE record
CVE.org
-
CVE-2026-48101 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
CVE-2026-48101 was published on 2026-06-05T16:16:41.423Z and modified on 2026-06-11T18:02:03.633Z.