CVE-2026-48111 in 7-Zip
Summary
by MITRE • 06/05/2026
7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an off-by-one out-of-bounds read vulnerability in the ParseDepedencyExpression function of the UEFI firmware image parser(CPP/7zip/Archive/UefiHandler.cpp). The function validates an attacker-controlled opcode byte using > instead of >= against the element count of the 10-entry kExpressionCommands static array, allowing an opcode value of 10 to read one pointer slot (8 bytes on x64) past the end of the array in .rodata. The out-of-bounds value is then dereferenced as a const char * and passed through strlen and memcpy into the archive's Characts property, which may cause either a denial of service (access violation when the adjacent bytes do not form a valid readable pointer) or a minor information disclosure of an adjacent .rdata string literal into archive metadata. The vulnerability is reached automatically during IInArchive::Open() via the call path OpenFv/OpenCapsule → ParseVolume → ParseSections when processing a SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B) section whose first body byte is 0x0A, and the UEFI handler is enabled by default in stock 7z.dll with signature-based detection for both UEFIc and UEFIf formats. The outcome (crash vs. silent leak) is deterministic per build but linker-layout dependent, with no write primitive and no disclosure of heap data, secrets, or ASLR base addresses. Version 26.01 fixes the issue.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 06/05/2026
The vulnerability exists within the 7-Zip file archiver software, specifically in versions 9.21 through 26.00, where an off-by-one out-of-bounds read flaw has been identified in the UEFI firmware image parser component. This issue manifests in the ParseDepedencyExpression function located in CPP/7zip/Archive/UefiHandler.cpp, where a critical logic error occurs during validation of attacker-controlled opcode bytes. The flaw stems from the use of the greater than operator > instead of the greater than or equal operator >= when comparing the opcode value against the element count of the static kExpressionCommands array, which contains exactly 10 entries. This seemingly minor coding error creates a condition where an opcode value of 10 can access memory that lies immediately beyond the bounds of the array, specifically reading one pointer slot of 8 bytes on x64 architectures from the .rodata section.
The technical execution of this vulnerability occurs automatically during normal archive processing operations through the IInArchive::Open() interface method, specifically when handling UEFI firmware image sections of type SECTION_DXE_DEPEX (0x13) or SECTION_PEI_DEPEX (0x1B). The attack path follows a well-defined sequence starting with OpenFv/OpenCapsule, then proceeding through ParseVolume and ParseSections, ultimately reaching the vulnerable ParseDepedencyExpression function when the first byte of the section body contains the value 0x0A. This default behavior means that any user who opens a maliciously crafted UEFI firmware image file will trigger the vulnerability without requiring any special interaction or privilege escalation. The out-of-bounds memory access results in the dereferencing of a const char * pointer that points to adjacent memory locations in the .rdata section, which then gets processed through strlen and memcpy operations into the archive's Characts property, effectively embedding the leaked data into the archive metadata.
The operational impact of this vulnerability spans both denial of service and information disclosure scenarios, with the specific outcome depending on the memory layout and build configuration of the target system. When the adjacent memory does not contain valid pointer data, the access violation results in a crash that terminates the 7-Zip application, effectively creating a denial of service condition. However, in cases where the adjacent memory contains readable string literals from the .rdata section, the vulnerability enables a minor information disclosure where these adjacent string values become embedded in the archive's metadata properties. This information leakage, while not exposing sensitive heap data or system secrets, does represent a privacy concern as it may inadvertently reveal internal implementation details or potentially sensitive information that was not intended for public exposure. The vulnerability affects the default 7z.dll implementation where both UEFIc and UEFIf formats are supported through signature-based detection mechanisms, making it particularly concerning given the widespread use of 7-Zip across various platforms and applications.
From a cybersecurity perspective, this vulnerability aligns with CWE-129, which addresses improper validation of array index bounds, and can be categorized under ATT&CK technique T1203, which covers exploitation for privilege escalation through application execution. The vulnerability represents a classic example of how seemingly minor programming errors can create significant security implications in widely-used software components. The deterministic nature of the crash versus information leak outcome, while dependent on linker memory layout, means that attackers can potentially predict and exploit the behavior based on specific build configurations. The lack of write primitives and absence of disclosure of heap data or ASLR base addresses limits the severity to denial of service and minor information disclosure rather than more severe exploitation vectors such as code execution or privilege escalation. The fix implemented in version 26.01 resolves the core issue by correcting the comparison operator from > to >=, ensuring that the opcode value cannot exceed the valid range of the array indices and preventing the out-of-bounds memory access entirely. This correction represents a fundamental defensive programming practice that should be applied whenever array bounds are validated, particularly in security-critical applications where input validation is paramount to maintaining system integrity and preventing potential exploitation by malicious actors.