The hugely popular open source utility 7-Zip has been hit by a new critical security vulnerability, cataloged with a threat score of 8.8 out of 10. The flaw – identified as CVE-2026-48095 – potentially affects hundreds of millions of devices worldwide: Windows PCs, Linux servers, cloud systems and industrial automation infrastructures. The real danger is that an attacker can execute malicious code on the victim’s computer simply by inducing them to open a specially manipulated archive, in common formats such as .7z, .zip or .rar.
It is not necessary to extract the files: just open the archive to list its contents, or for it to pass through automated software, for the flaw to be activated. The problem concerns version 26.00 of the program and all previous ones; 26.01, released on April 27, 2026, includes the fix. Since 7-Zip does not have an automatic update system, it is necessary to intervene manually. In the following paragraphs we analyze the technical functioning of the bug and the steps necessary to stay safe.
How the 7-Zip bug technically works
The problem lies in the way the software analyzes the file structure. Specifically, the flaw is hidden in the code dedicated to reading disk images in NTFS format (the standard file system used by Microsoft for the Windows NT, 10 and 11 operating systems). When 7-Zip processes this type of file, a specially constructed NTFS image can induce an error in calculating the size of the buffer (a temporary memory area that the program uses to move data). Due to a bug in the sizing expression, the buffer is allocated with just 1 byte of space instead of the correct amount.
The subsequent read operation then writes attacker-controlled data beyond this tiny buffer, generating what is called a heap buffer overflow: an overflow in heap memory that, under favorable conditions, allows malicious code to take control of the execution flow and run with the privileges of the program in use. On systems with limited memory resources, the most likely outcome is an application crash or denial of service instead.
You might think that giving up opening files with suspicious extensions is enough to stay safe, but that’s not the case. This is because an attacker could disguise a malicious NTFS image by giving it the extension of a common .zip or .rar file.
Because the spread of 7-Zip amplifies the risk
The enormous spread of this tool multiplies the attack surface significantly. In addition to the classic GUI application on Windows, 7-Zip is silently embedded in millions of enterprise scripts, in OEM systems pre-installed by computer manufacturers, and in CI/CD environments, the automated chains with which developers test and release software. Additionally, several Linux distributions, including Ubuntu and RHEL 8, often include packages like p7zip that may be outdated and therefore vulnerable.
Then there is a further risk factor linked to the open source nature of the project: since the code is publicly available, many third-party applications have integrated it internally. This means that an infected archive can be processed completely automatically, without the user clicking on anything, by antiviruses, backup tools, file managers or malware analysis platforms. These applications often operate with elevated privileges, which further amplifies the potential damage if compromised.
How to protect yourself from the new vulnerability
The solution is to update 7-Zip to version 26.01 or later. On Windows, you can check the installed version by opening the application and consulting the Program Information section: if the number is less than 26.01, you need to download the new installer from the official website – 7-zip.org – and start it. It is advisable to complete this operation before interacting with any externally sourced archive.
