CVE-2026-48103

medium

Published 2026-06-05 · Modified 2026-06-05

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

4.3

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

CVSS v4 NEW

—

not yet in upstream

VIR risk

4.3

Description

7-Zip is a file archiver with a high compression ratio. Versions 9.34 through 26.00 contain an off-by-one heap out-of-bounds read in the WIM (Windows Imaging) archive handler's security descriptor lookup. In CHandler::GetSecurity (CPP/7zip/Archive/Wim/WimHandler.cpp), the per-image SecurOffsets table holds numEntries + 1 cumulative offsets, but the check securityId >= SecurOffsets.Size() admits securityId == numEntries, and the function then reads SecurOffsets[securityId + 1], fetching one UInt32 past the end of the heap-allocated CRecordVector (which performs no bounds checking on operator[]). The securityId is attacker-controlled at offset +0xC of any directory entry in WIM metadata, and the handler is registered for .wim, .swm, .esd, and .ppkg and enabled by default in stock 7z.dll; the OOB triggers zero-click in the GUI because 7zFM.exe's ListView calls GetRawProp(kpidNtSecure) for every item during listing (ASan-confirmed), and is also reachable via CLI listing with 7zz l -slt. Impact is limited to denial of service under hardened allocators and minor information disclosure, since the OOB value is only consumed arithmetically as a length and is not surfaced to the attacker; there is no write primitive.

Predictions

Exploit likelihood

53%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-48103 NameCVE-2026-48103 SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus 7zip (PTS)bookworm22.01+really25.01+dfsg-0+deb12u1vulnerable…

CVE-2026-48103

Name	CVE-2026-48103
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
7zip (PTS)	bookworm	22.01+really25.01+dfsg-0+deb12u1	vulnerable
	trixie	25.01+dfsg-1~deb13u2	vulnerable
	forky, sid	26.01+dfsg-2	fixed
p7zip (PTS)	bullseye	16.02+dfsg-8	vulnerable
	bullseye (security)	16.02+really25.01+dfsg-0+deb11u1	vulnerable
	bookworm	16.02+really25.01+dfsg-0+deb12u1	vulnerable
	trixie	16.02+transitional.1	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
7zip	source	(unstable)	26.01+dfsg-1
p7zip	source	(unstable)	16.02+transitional.1

Notes

Since p7zip/16.02+transitional.1 src:p7zip is only a empty source package
depending on 7zip. Mark this version as fixed version.
https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/

Home - Debian Security - Source (Git)

Apply commands

text fix

Notes

Since p7zip/16.02+transitional.1 src:p7zip is only a empty source packagedepending on 7zip. Mark this version as fixed version.https://securitylab.github.com/advisories/GHSL-2026-115_GHSL-2026-122_7-zip/

OS impact

Debian Mixed 5 releases

Version	Status	Fixed in
trixie	Fixed	`16.02+transitional.1`
sid	Fixed	`26.01+dfsg-1`
forky	Fixed	`26.01+dfsg-1`
bullseye	Affected	—
bookworm	Affected	—

References

CWEs

CWE-125

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.