7-Zip 26.01 fixes NTFS flaw that could let attackers run code through crafted files

7-Zip users should update to version 26.01 after researchers disclosed a high-severity vulnerability that could allow arbitrary code execution or application crashes when a user opens a specially crafted NTFS image.

The main issue is tracked as CVE-2026-48095 and GHSL-2026-140. A GitHub Security Lab advisory says the flaw exists in 7-Zip 26.00 and affects versions through 26.00.

The fix is already available in version 26.01, which was released on April 27, 2026. Users can get the latest build from the official 7-Zip download page.

What makes the 7-Zip NTFS bug dangerous

The vulnerability sits in 7-Zip’s NTFS archive handler. It stems from an incorrect buffer-size calculation in the GetCuSize function, which handles compressed NTFS streams.

A crafted NTFS image can trigger undefined behavior in a 32-bit shift operation. In the vulnerable path, 7-Zip may allocate a 1-byte input buffer, then write a much larger amount of attacker-controlled data into it.

That memory corruption can overwrite nearby heap data and lead to a vtable hijack. In practical terms, a malicious file could crash 7-Zip or potentially run code under the same user account that opened the file.

Key details at a glance

Item	Details
CVE	CVE-2026-48095
Advisory	GHSL-2026-140
Affected product	7-Zip
Affected versions	Versions through 26.00
Fixed version	7-Zip 26.01
Affected component	NTFS archive handler
Severity	CVSS 3.1 score of 8.8, High
Main risk	Arbitrary code execution or application crash

How a malicious file can trigger the flaw

The attack does not need a file that looks like a normal NTFS image. 7-Zip uses signature-based detection for many formats, including NTFS.

The GHSL-2026-140 advisory says a crafted NTFS image can use another extension, such as .7z, .zip, .rar, or no extension at all. If the first handler rejects the file, 7-Zip can still fall back to the NTFS handler based on file content.

This makes the attack surface broader than it may first appear. A user might think they are opening a harmless archive, while 7-Zip processes the file through the vulnerable NTFS code path.

More 7-Zip memory issues were also fixed

GitHub Security Lab also disclosed several other memory access issues in 7-Zip 26.00. A separate GitHub Security Lab advisory covers flaws in archive formats and handlers such as SquashFS, UEFI, UDF, WIM, and Ar.

These related bugs include integer overflows, out-of-bounds reads, uninitialized memory disclosure, and a path traversal issue in a sample extractor. Some mainly affect 32-bit builds or specific archive formats.

The important point for users is simple. 7-Zip 26.01 includes fixes for the reported issues, so older installations should not remain in use on systems that handle untrusted archives.

Why 7-Zip users should update quickly

7-Zip has no always-on automatic updater for every deployment style. Many users install it once and forget about it, while some organizations keep portable copies in shared folders, admin toolkits, or scripts.

That creates a patching gap. A user may update the main desktop installation but still run an older 7z.exe, 7z.dll, or portable copy from another location.

Administrators should check standard installations, portable builds, bundled copies, and third-party tools that ship with 7-Zip components.

Who faces the highest risk

The vulnerability requires user interaction because someone must open, test, or extract a crafted file. That still leaves many realistic attack paths.

Attackers can send malicious archives by email, share files through messaging platforms, upload files to support portals, or plant files in locations where analysts, help desks, or administrators may inspect them.

Systems used for malware analysis, document intake, legal review, software support, and IT administration should receive special attention because those users often open files from unknown or semi-trusted sources.

Recommended actions for users and administrators

• Update 7-Zip to 7-Zip 26.01 or later.
• Remove old portable copies of 7-Zip from shared folders and admin toolkits.
• Check whether scripts or applications call older versions of 7z.exe or 7z.dll.
• Avoid opening archives or disk images from unknown sources until all systems are patched.
• Scan endpoints for 7-Zip 26.00 and earlier versions.
• Prioritize systems that process user-submitted files or email attachments.
• Download installers only from official project channels.

What security teams should monitor

Security teams should treat suspicious archive handling as a detection opportunity. Watch for 7-Zip opening unexpected disk-image formats, especially when the file extension does not match the actual content.

Crashes in 7-Zip after opening an archive should not be dismissed as normal instability. In this case, a crash may indicate attempted exploitation of a malformed image.

The related memory access advisory also shows why defenders should track less obvious archive formats. Attackers often abuse formats that users do not recognize because those handlers receive less attention during routine security reviews.

The bigger picture

Archive utilities remain attractive targets because they sit between users and untrusted files. A single malicious attachment can reach a parsing engine before antivirus, sandboxing, or operating system protections fully understand the file’s real structure.

That risk grows when a tool supports many formats. 7-Zip can unpack common archive types, but it also supports disk images, firmware-related formats, file systems, and legacy archive formats.

For most users, the safest response is direct. Update 7-Zip, remove outdated copies, and avoid opening files from unknown sources unless they pass through proper scanning and isolation.

FAQ