PatchSiren cyber security CVE debrief
CVE-2026-48112 mcmilk CVE debrief
CVE-2026-48112 is a medium-severity vulnerability in 7-Zip, a file archiver with a high compression ratio. Versions 9.18 through 26.00 are affected by a heap out-of-bounds read in the 7-Zip Ar handler BSD SYMDEF parser. The vulnerability occurs when parsing a BSD-style __.SYMDEF symbol table, where the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. The issue was patched in version 26.01.
- Vendor
- mcmilk
- Product
- 7-Zip
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-05
- Original CVE updated
- 2026-06-08
- Advisory published
- 2026-06-05
- Advisory updated
- 2026-06-08
Who should care
Users of 7-Zip versions 9.18 through 26.00 should update to version 26.01 or later to mitigate this vulnerability.
Technical summary
A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation.
Defensive priority
Medium
Recommended defensive actions
- Update 7-Zip to version 26.01 or later.
Evidence notes
CVE-2026-48112 was published on [cvePublishedAt] and modified on [cveModifiedAt]. The vulnerability has a CVSS score of 6.5 and is classified as CWE-125 and CWE-190.
Official resources
-
CVE-2026-48112 CVE record
CVE.org
-
CVE-2026-48112 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Exploit, Patch, Third Party Advisory
CVE-2026-48112 was published on 2026-06-05T17:16:49.353Z and modified on 2026-06-08T18:00:40.557Z.