PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-48111 mcmilk CVE debrief

CVE-2026-48111 is a MEDIUM severity vulnerability in 7-Zip, a file archiver with a high compression ratio. Versions 9.21 through 26.00 are affected by an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser. This vulnerability allows for a denial of service (access violation) or minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is automatically triggered during IInArchive::Open() when processing specific UEFI firmware sections. Version 26.01 fixes the issue.

Vendor
mcmilk
Product
7-Zip
CVSS
MEDIUM 4.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-05
Original CVE updated
2026-06-08
Advisory published
2026-06-05
Advisory updated
2026-06-08

Who should care

Users of 7-Zip versions 9.21 through 26.00 should update to version 26.01 to mitigate this vulnerability. This vulnerability could potentially lead to denial of service or minor information disclosure.

Technical summary

The vulnerability is caused by an off-by-one out-of-bounds read in the ParseDepedencyExpression function of the UEFI firmware image parser (CPP/7zip/Archive/UefiHandler.cpp). The function incorrectly validates an attacker-controlled opcode byte, allowing an opcode value of 10 to read past the end of the kExpressionCommands static array. This out-of-bounds value is then dereferenced and passed through strlen and memcpy into the archive's Characts property.

Defensive priority

MEDIUM

Recommended defensive actions

  • Update 7-Zip to version 26.01 or later.

Evidence notes

CVE-2026-48111 has a CVSS score of 4.3 and is classified as MEDIUM severity. The vulnerability was published on 2026-06-05T17:16:48.937Z and modified on 2026-06-08T18:16:33.680Z.

Official resources

CVE-2026-48111 was published on 2026-06-05T17:16:48.937Z and modified on 2026-06-08T18:16:33.680Z.