CVE-2026-48112
MediumCVSS 6.5Summary
7-Zip versions 9.18 through 26.00 contain a heap out-of-bounds read vulnerability in the BSD SYMDEF parser. The ParseLibSymbols function reads data beyond the allocated memory area, potentially leading to leakage of uninitialized data.
Risk Assessment
Organizations may be exposed to leakage of sensitive information from memory, which could lead to further attacks or security breaches.
Recommendation
It is recommended to update 7-Zip to version 26.01 or later to mitigate this vulnerability.
Original NVD description (English source)
7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.

