7-Zip versions up to 26.00 contain a heap buffer overflow in the NTFS handler due to an under-allocation in the compressed stream buffer size calculation (CInStream::GetCuSize). When processing a crafted NTFS image with ClusterSizeLog >= 28 and CompressionUnit == 4, the exponent calculation overflows, causing the buffer _inBuf to be allocated as 1 byte. Subsequent writes of up to 256 MB overflow this buffer and overwrite adjacent memory, including the CInStream object's vtable pointer, enabling vtable hijacking and potential arbitrary code execution. On 32-bit builds, the overflow is unconditional; on 64-bit builds, it depends on a large parallel buffer allocation. The NTFS handler is enabled by default and triggered by signature-based fallback, allowing exploitation regardless of file extension. The issue is fixed in version 26.01.

Successful exploitation can lead to arbitrary code execution or application crashes due to heap buffer overflow and vtable pointer overwrite. This affects confidentiality, integrity, and availability of the affected system. The vulnerability can be triggered by processing crafted NTFS images during extraction or testing in 7-Zip. The CVSS score of 8.8 reflects high impact with network attack vector, low attack complexity, no privileges required, and user interaction needed.

Version 26.01 of 7-Zip fixes this vulnerability. Users should upgrade to 7-Zip 26.01 or later to remediate the issue. No official patch or temporary fix details are provided beyond this version update. Until upgrading, avoid opening or extracting files from untrusted sources that may contain crafted NTFS images. Patch status is not explicitly confirmed beyond the version update note; users should verify with the vendor advisory for the latest remediation guidance.