CVE-2026-48092

medium

Published 2026-06-05 · Modified 2026-06-05

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

4.3

Description

7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain a heap memory disclosure via SquashFS fragment offset integer overflow on 32-bit builds. 32-bit integer overflow in the SquashFS ReadBlock function allows an attacker-controlled node.Offset value to bypass the fragment bounds check, causing memcpy to read heap memory preceding the cache buffer into the extracted file. The vulnerability is exploitable only on 32-bit builds of 7-Zip where size_t is 32 bits, allowing the addition offsetInBlock + blockSize to wrap modulo 2³². On 64-bit builds the addition is promoted to 64 bits and the check correctly rejects the input. Version 26.01 patches the issue.

Predictions

Exploit likelihood

53%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-48092 NameCVE-2026-48092 DescriptionSquashFS Fragment Offset Overflow SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus 7zip…

CVE-2026-48092

Name	CVE-2026-48092
Description	SquashFS Fragment Offset Overflow
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
7zip (PTS)	bookworm	22.01+really25.01+dfsg-0+deb12u1	vulnerable
	trixie	25.01+dfsg-1~deb13u2	vulnerable
	forky, sid	26.01+dfsg-2	fixed
p7zip (PTS)	bullseye	16.02+dfsg-8	vulnerable
	bullseye (security)	16.02+really25.01+dfsg-0+deb11u1	vulnerable
	bookworm	16.02+really25.01+dfsg-0+deb12u1	vulnerable
	trixie	16.02+transitional.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
7zip	source	(unstable)	26.01+dfsg-1	unimportant
p7zip	source	(unstable)	16.02+transitional.1	unimportant

Notes

Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
depending on 7zip. Mark this version as fixed version.
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/
Crash in CLI tool, no security impact

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

Since p7zip/16.02+transitional.1 src:p7zip is only a empty source packagedepending on 7zip. Mark this version as fixed version.https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/Crash in CLI tool, no security impact

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`16.02+transitional.1`
sid	Fixed	`26.01+dfsg-1`
forky	Fixed	`26.01+dfsg-1`
bullseye	Affected	—
bookworm	Affected	—

References

CWEs

CWE-125

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.