7-Zip CVE-2026-14266 Heap Overflow Can Enable Code Execution


A security vulnerability in 7-Zip can allow attackers to execute code after a user opens a malicious file or visits a page containing specially crafted XZ data. The flaw is tracked as CVE-2026-14266 and has been fixed in 7-Zip 26.02.

The vulnerability affects 7-Zip’s processing of chunked XZ-compressed data. Malformed input can overflow a heap buffer, corrupting memory inside the 7-Zip process and potentially giving an attacker control of its execution.

Users should update to version 26.02 or later. The official Zero Day Initiative advisory assigns the vulnerability a CVSS score of 7.0 and confirms that successful exploitation requires user interaction.

Key CVE-2026-14266 Details

Vulnerability detailConfirmed information
CVE identifierCVE-2026-14266
ZDI advisoryZDI-26-444
Vulnerability typeHeap-based buffer overflow
Affected componentXZ chunked data processing
Potential impactCode execution in the context of the current process
CVSS score7.0
User interactionRequired
Fixed version7-Zip 26.02
ResearcherLandon Peng of Lunbun LLC
Public disclosure dateJuly 15, 2026

How the 7-Zip Vulnerability Works

XZ is a compressed data format supported by 7-Zip. When the program receives an XZ stream, it reads the compressed structure, allocates memory and reconstructs the original data.

CVE-2026-14266 exists because crafted XZ chunked data can cause 7-Zip to write beyond the boundary of an allocated heap buffer. A heap overflow can overwrite nearby data used by the running process.

A crash is one possible result. Under suitable conditions, an attacker may be able to manipulate the corrupted memory and redirect the program’s execution to attacker-controlled code.

Does CVE-2026-14266 Allow Remote Attacks?

The vulnerability is described as a remote code execution issue because malicious content can originate from a remote attacker and eventually produce code execution. However, the attacker cannot directly send a network request to 7-Zip and take control without another step.

The ZDI CVSS vector is AV:L/AC:H/PR:N/UI:R. This means exploitation has a local attack vector, requires high complexity, needs no existing privileges and depends on user interaction.

According to the ZDI-26-444 security advisory, a target must open a malicious file or visit a malicious webpage. The advisory does not say that simply receiving an archive by email is enough to trigger exploitation.

Attack stageWhat must happen
DeliveryAn attacker delivers crafted XZ data through a file, download or webpage
User actionThe target opens the malicious file or visits the malicious page
Processing7-Zip processes the malformed XZ chunked data
Memory corruptionThe data triggers a heap-based buffer overflow
Potential resultAttacker-controlled code runs with the permissions of the 7-Zip process

What an Attacker Could Gain

Code executed through this vulnerability would run in the context of the affected 7-Zip process. In a normal desktop session, this generally means the attacker would receive the permissions of the logged-in user.

A compromised standard user account may still provide access to documents, browser data, mapped network drives and other resources available to that person. If 7-Zip is running with elevated privileges, the potential impact would be greater.

The vulnerability does not automatically provide administrator or system privileges. Further exploitation, stolen credentials or a separate privilege-escalation vulnerability may be required to obtain higher access.

  • Run malware under the affected user account
  • Access or alter files available to that account
  • Install persistence where user permissions allow it
  • Collect credentials and browser information
  • Use the compromised device as an entry point for further attacks

Phishing Is the Most Likely Delivery Risk

Compressed archives are frequently used to deliver malware because they can hide several files behind a single attachment. Attackers may disguise a malicious archive as an invoice, job application, shipping document, software package or project file.

CVE-2026-14266 could be incorporated into a phishing or malicious-download campaign. An attacker would still need to create working exploit content and persuade the target to process it.

The high-complexity rating is important. Memory corruption does not guarantee reliable code execution on every system, and modern operating-system protections can make exploitation harder. However, organisations should not depend on those protections instead of installing the update.

7-Zip 26.02 Fixes the Vulnerability

7-Zip 26.02 was released on June 25, 2026. Its brief official change history states that the release fixed bugs and vulnerabilities, although it does not list CVE-2026-14266 by name.

Zero Day Initiative separately confirms that CVE-2026-14266 was fixed in version 26.02. The vulnerability was reported to the vendor on June 5 and publicly disclosed on July 15 following coordinated remediation.

The official 7-Zip download page provides version 26.02 installers for 64-bit x64, 32-bit x86 and ARM64 Windows systems. Command-line builds are also available for Linux and macOS.

How to Check the Installed 7-Zip Version

Windows users can open 7-Zip File Manager and select Help, followed by About 7-Zip. The installed version appears in the information window.

Administrators can also inspect the application version through software inventory products, endpoint-management platforms or the installed applications list. Command-line deployments may require checking the version of the 7z executable directly.

Organisations should search for both centrally installed and portable copies. Employees and developers sometimes keep standalone 7-Zip executables in download folders, utility directories, build environments or administrative tool collections.

  1. Identify all installed and portable copies of 7-Zip.
  2. Confirm whether each copy is version 26.02 or later.
  3. Download the current release from the official project page.
  4. Deploy the correct build for the system architecture.
  5. Remove or replace obsolete portable executables.
  6. Verify the installed version after deployment.

Mitigations for Systems That Cannot Be Updated Immediately

Installing the fixed release is the primary remediation. If an immediate update is not possible, administrators should reduce opportunities for users to process untrusted archives.

Email and web security systems should inspect compressed attachments where technically possible. Blocking every XZ file may disrupt legitimate workflows, so restrictions should reflect the organisation’s actual use of the format.

Running daily work without administrator privileges can also limit the damage caused by successful code execution. Application-control rules and endpoint behavioural monitoring provide additional layers of protection.

  • Do not open unexpected XZ files or archives from unknown senders.
  • Verify unusual attachments through a separate communication channel.
  • Block unnecessary compressed file types at email gateways.
  • Scan downloads before opening or extracting them.
  • Use standard user accounts for routine work.
  • Monitor 7-Zip processes that launch scripts, command shells or unfamiliar executables.
  • Isolate suspicious files in a controlled analysis environment.

Is CVE-2026-14266 Being Exploited?

The public advisory does not report attacks exploiting CVE-2026-14266. It also does not provide a public proof-of-concept exploit.

That status can change after technical information becomes widely available. Security teams should avoid treating the absence of reported exploitation as a reason to delay the update.

Landon Peng of Lunbun LLC discovered and reported the vulnerability. The coordinated disclosure process gave the 7-Zip project time to prepare a fix before detailed information was published.

What Organisations Should Do Now

Security and IT teams should prioritise systems where users frequently process files received from customers, partners or the public. Help desks, recruitment teams, finance departments, software developers and security analysts may face higher exposure to untrusted archives.

Automated software inventory should be used where possible because 7-Zip does not always receive updates through the operating system’s normal patching process. Portable installations can also remain outside standard application-management controls.

After deployment, teams should confirm that version 26.02 or later is present and review whether older executables remain accessible. The 7-Zip release history and official download page provide the vendor’s current version information and installation files.

FAQ

What is CVE-2026-14266?

CVE-2026-14266 is a heap-based buffer overflow in 7-Zip’s processing of XZ chunked data. Crafted compressed data may allow code execution in the context of the affected process.

Which 7-Zip version fixes CVE-2026-14266?

The vulnerability is fixed in 7-Zip 26.02. Users should install version 26.02 or a later available release.

Can CVE-2026-14266 be exploited without user interaction?

No. The Zero Day Initiative advisory says the target must open a malicious file or visit a malicious webpage. The CVSS vector marks user interaction as required.

What is the CVSS score for the 7-Zip vulnerability?

Zero Day Initiative assigned CVE-2026-14266 a CVSS score of 7.0. Its vector indicates local access, high attack complexity, no required privileges and required user interaction.

Is CVE-2026-14266 being actively exploited?

The public Zero Day Initiative advisory does not report active exploitation. Organisations should still update promptly because public disclosure can increase attacker interest.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages