PatchSiren cyber security CVE debrief
CVE-2026-48102 mcmilk CVE debrief
CVE-2026-48102 is a heap out-of-bounds read vulnerability in 7-Zip, a file archiver with a high compression ratio. The vulnerability exists in the UDF disc image handler's File Identifier Descriptor parser, specifically in the `CFileId::Parse` function. An attacker can trigger the vulnerability by crafting a UDF image that causes the parser to read 1 to 3 bytes past the end of the exact-size heap buffer allocated for the image. This can lead to information disclosure and denial of service. The vulnerability has a CVSS score of 3.1 and is considered low severity.
- Vendor
- mcmilk
- Product
- 7-Zip
- CVSS
- LOW 3.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-10
Who should care
Users of 7-Zip versions 9.11 through 26.00 should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the `CFileId::Parse` function in the UDF disc image handler. The function fails to properly validate the size of the heap buffer allocated for the image, leading to an out-of-bounds read. The vulnerability can be triggered by listing or extracting a crafted UDF image.
Defensive priority
Medium
Recommended defensive actions
- Upgrade to 7-Zip version 26.01 or later.
- Avoid listing or extracting untrusted UDF images.
Evidence notes
The vulnerability was discovered by security researchers at GitHub and reported to 7-Zip. A patch was released in version 26.01.
Official resources
-
CVE-2026-48102 CVE record
CVE.org
-
CVE-2026-48102 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
CVE-2026-48102 was published on 2026-06-05T16:16:41.593Z and modified on 2026-06-10T10:45:47.817Z.