CVE-2026-48101

NameCVE-2026-48101
Description7-Zip is a file archiver with a high compression ratio. Versions 9.21 through 26.00 contain an An uninitialized memory disclosure vulnerability in the UEFI capsule (.scap) parser in 7-Zip. The OpenCapsule function allocates a heap buffer of attacker-declared CapsuleImageSize (up to 1 GiB) without zero-initialization, then reads the file contents into it with ReadStream_FALSE whose return value is silently discarded. If the file is truncated, the unread tail of the buffer retains uninitialized heap memory, which is then exposed as extracted file content via GetStream. Version 26.0.1 fixes the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
7zip (PTS)bookworm22.01+really25.01+dfsg-0+deb12u1vulnerable
trixie25.01+dfsg-1~deb13u2vulnerable
forky, sid26.01+dfsg-2fixed
p7zip (PTS)bullseye16.02+dfsg-8vulnerable
bullseye (security)16.02+really25.01+dfsg-0+deb11u1vulnerable
bookworm16.02+really25.01+dfsg-0+deb12u1vulnerable
trixie16.02+transitional.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
7zipsource(unstable)26.01+dfsg-1unimportant
p7zipsource(unstable)16.02+transitional.1unimportant

Notes

Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
depending on 7zip. Mark this version as fixed version.
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
Crash in CLI tool, no security impact
Search for package or bug name: Reporting problems