PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48104 mcmilk CVE debrief

CVE-2026-48104 is a MEDIUM severity vulnerability in 7-Zip, a file archiver with a high compression ratio. The issue, caused by an uninitialized heap read in the SquashFS archive handler, affects versions 9.18 through 26.00. This vulnerability is triggered when opening a crafted SquashFS image, leading to a potential denial of service due to a wild-pointer dereference and possible heap information disclosure. The vulnerability has a CVSS score of 4.2 and was published on 2026-06-05T17:16:48.547Z.

Vendor
mcmilk
Product
7-Zip
CVSS
MEDIUM 4.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-08
Advisory published
2026-06-05
Advisory updated
2026-06-08

Who should care

Users of 7-Zip, especially those who handle archive files from untrusted sources, should be aware of this vulnerability. Developers and administrators should prioritize updating to version 26.01 or later to mitigate this issue.

Technical summary

The SquashFS handler in 7-Zip is vulnerable to an uninitialized heap read. When processing a sparsely populated index array in a SquashFS archive, the handler may read uninitialized heap memory. This can occur when the _blockToNode array is allocated but not fully populated, leaving some slots with raw heap contents. An attacker-crafted image can exploit this by influencing the blockIndex, leading to a chained out-of-bounds read primitive.

Defensive priority

High

Recommended defensive actions

  • Update 7-Zip to version 26.01 or later.
  • Be cautious when opening archive files from untrusted sources.

Evidence notes

The CVE record and NVD detail provide comprehensive information about this vulnerability. Additional details can be found in the security advisory at resourceLinkAnnotations with id 'ref-4'.

Official resources

CVE-2026-48104 was published on 2026-06-05T17:16:48.547Z and modified on 2026-06-08T18:03:38.143Z.