Archive Files Become Attack Vector in Newly Disclosed 7-Zip Code Execution Flaw
Overview
A newly disclosed vulnerability in 7-Zip highlights how widely used utility software can become an unexpected entry point for system compromise.
Tracked as CVE-2026-48095, the flaw affects 7-Zip archive processing and may allow attackers to achieve Remote Code Execution (RCE) when a specially crafted file is opened.
The vulnerability was identified by GitHub Security Lab researcher Jaroslav Lobačevski and affects 7-Zip version 26.00 and earlier.
According to published technical analysis, the issue originates in how 7-Zip processes certain NTFS compressed archive structures.
What Is the Vulnerability
The issue affects 7-Zip’s NTFS archive handler, responsible for parsing compressed NTFS data structures.
Researchers found that under specific conditions the software incorrectly calculates memory allocation size when handling crafted NTFS content.
This can result in:
- insufficient memory allocation
- out-of-bounds memory writing
- corruption of internal program structures
- attacker-controlled execution flow
The flaw has been classified under:
- CWE-787 – Out-of-Bounds Write
- CWE-190 – Integer Overflow
and carries a CVSS score of 8.8 (High).
Why This Matters
One of the more concerning aspects of the vulnerability is that it is not tied to a specific archive extension.
7-Zip relies partly on internal file signatures when determining archive format.
This means a malicious NTFS image may be disguised as:
- .zip
- .7z
- .rar
- or another arbitrary file extension
If the file is opened and parsed by the vulnerable component, exploitation may occur.
The published research notes that exploitation requires only user interaction to open the crafted archive.
Depending on system conditions and available memory, the outcome may include:
- denial of service
- application crash
- or execution of attacker-controlled code
Both 32-bit and 64-bit builds are reported as affected.
DIAMATIX Perspective
Utility software and file-handling tools often receive less security attention than browsers or operating systems, despite their broad deployment.
Archive utilities are particularly attractive to attackers because they:
- routinely process external content
- are commonly trusted by users
- interact directly with local file systems
- may bypass suspicion during phishing or delivery campaigns
This case reinforces a recurring lesson in cybersecurity:
Trusted software does not automatically mean low risk.
Attackers increasingly target auxiliary applications and parsing components that sit outside traditional security focus.
CISO Analysis
The 7-Zip case highlights the continuing importance of software hygiene and patch visibility.
Organizations should review:
- inventory of archive and compression tools
- patch status across endpoints
- use of legacy or unmanaged utilities
- file handling policies for externally received archives
- endpoint telemetry around archive execution behavior
Archive-based delivery remains a frequent initial access technique in phishing, malware delivery, and targeted intrusion activity.
The combination of trusted software and crafted content continues to create effective attack paths.
What This Means for Your Environment
- This type of attack relies on malicious file parsing inside trusted software rather than direct exploitation of the operating system.
- Detection depends on endpoint visibility, suspicious archive handling behavior, and monitoring of execution chains following file extraction or opening.
- Response requires rapid software updates, controlled handling of untrusted files, and visibility across endpoint activity.
Could your environment identify suspicious archive execution before malicious code runs?
Are archive utilities included in your vulnerability and patch management processes?
See how file-based attack chains are monitored and handled in real operational environments.
Trusted · Innovative · Vigilant
Sources
- GitHub Security Lab Advisory (GHSL-2026-140)
- 7-Zip Security and Release Documentation
- Public vulnerability analysis and technical reporting, May 2026
This article is based on publicly available technical and threat intelligence information as of May 2026.
