How 7‑Zip 26.00’s NTFS handling triggers a heap‑overflow RCE (CVE‑2026‑48095)

In April 2026, GitHub Security Lab disclosed a critical heap‑overflow vulnerability (CVE‑2026‑48095) in 7‑Zip 26.00 that can be triggered by opening a crafted NTFS image, leading to vtable hijacking and remote code execution with a CVSS score of 8.8.

7-ZipCVE-2026-48095NTFS

0 likes · 12 min read

How 7‑Zip 26.00’s NTFS handling triggers a heap‑overflow RCE (CVE‑2026‑48095)