GitHub Security Lab researcher Jaroslav Lobačevski published an advisory on May 22 for CVE-2026-48095 (GHSL-2026-140), a heap buffer write overflow in 7-Zip’s NTFS archive handler that can lead to arbitrary code execution. The root cause is undefined behavior in the GetCuSize() function, which computes an NTFS compressed-stream buffer size via a 32-bit left shift: when an attacker-crafted NTFS image sets ClusterSizeLog = 28 and CompressionUnit = 4, the shift exponent reaches 32 — undefined behavior in C++. On both x86 and x64, hardware shift-count masking causes the expression to yield 1, so _inBuf is allocated as 1 byte. The immediately following ReadStream_FALSE call then writes up to 256 MB of attacker-controlled cluster data into that 1-byte buffer. Debugger analysis confirms the stream object (CInStream) sits only 304 bytes after _inBuf on the heap; the first 64 KB write overwrites its vtable pointer, and the next iteration dispatches through the corrupted vtable — a classic vtable hijack granting code execution. The vulnerability carries a CVSS 3.1 score of 8.8 (High): no authentication required, no privileges needed, one user interaction (opening the file).
A particularly notable attack-surface detail: 7-Zip uses signature-based fallback detection, so a crafted NTFS image — bearing the 8-byte "NTFS " signature at byte offset 3 — will be routed to the NTFS handler regardless of file extension. A malicious file delivered as .7z, .zip, .rar, or with no extension at all triggers the same code path. All 7-Zip versions through 26.00 are affected on both 32-bit and 64-bit builds; on 64-bit systems with less than ~16 GB of free RAM, the 8 GB _outBuf allocation may fail, limiting impact to a crash. Lobačevski reported the issue privately on April 24; Igor Pavlov shipped a fix in v26.01 three days later on April 27. Users still on 26.00 or earlier should update immediately.