PatchSiren cyber security CVE debrief

CVE-2026-48103 mcmilk CVE debrief

CVE-2026-48103 is an off-by-one heap out-of-bounds read vulnerability in 7-Zip, a file archiver with a high compression ratio, affecting versions 9.34 through 26.00. The vulnerability is located in the WIM (Windows Imaging) archive handler's security descriptor lookup, specifically in the `CHandler::GetSecurity` function (CPP/7zip/Archive/Wim/WimHandler.cpp). The issue arises from the per-image SecurOffsets table holding `numEntries + 1` cumulative offsets, but the check `securityId >= SecurOffsets.Size()` admitting `securityId == numEntries`, leading to reading `SecurOffsets[securityId + 1]`, which fetches one UInt32 past the end of the heap-allocated CRecordVector. The `securityId` is attacker-controlled at offset +0xC of any directory entry in WIM metadata. The handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll. The vulnerability can be triggered zero-click in the GUI because 7zFM.exe's ListView calls `GetRawProp(kpidNtSecure)` for every item during listing. The impact is limited to denial of service under hardened allocators and minor information disclosure, as the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker.