CVE-2026-48112

NameCVE-2026-48112
Description7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain a heap out-of-bounds read in 7-Zip Ar handler BSD SYMDEF parser. A 4-byte heap out-of-bounds read exists in the Unix ar archive parser in 7-Zip. When parsing a BSD-style __.SYMDEF symbol table, the ParseLibSymbols function reads a 32-bit namesSize field via Get32 at a position that can equal the buffer size, reading 4 bytes past the end of the heap allocation. This reads uninitialized heap data under the default allocator. Version 26.01 patches the issue.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
7zip (PTS)bookworm22.01+really25.01+dfsg-0+deb12u1vulnerable
trixie25.01+dfsg-1~deb13u2vulnerable
forky, sid26.01+dfsg-2fixed
p7zip (PTS)bullseye16.02+dfsg-8vulnerable
bullseye (security)16.02+really25.01+dfsg-0+deb11u1vulnerable
bookworm16.02+really25.01+dfsg-0+deb12u1vulnerable
trixie16.02+transitional.1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
7zipsource(unstable)26.01+dfsg-1
p7zipsource(unstable)16.02+transitional.1

Notes

[trixie] - 7zip <no-dsa> (Minor issue)
[bookworm] - 7zip <no-dsa> (Minor issue)
Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
depending on 7zip. Mark this version as fixed version.
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
Search for package or bug name: Reporting problems