CVE-2026-48104: CWE-908: Use of Uninitialized Resource in mcmilk 7-Zip
CVE-2026-48104 is a medium severity vulnerability in 7-Zip versions 9. 18 through 26. 00 involving an uninitialized heap read in the SquashFS archive handler. This flaw arises from a sparsely populated index array that leads to reading uninitialized memory during directory parsing. Exploitation requires opening a crafted SquashFS archive, potentially causing denial of service or information disclosure. The issue is fixed in version 26. 01. No known exploits are reported in the wild.
AI Analysis
Technical Summary
7-Zip versions 9.18 to 26.00 contain an uninitialized heap read vulnerability in the SquashFS archive handler. The vulnerability occurs because the _blockToNode array is allocated for every metadata block but only partially populated, leaving many entries uninitialized. When OpenDir uses an attacker-controlled blockIndex derived from the RootInode superblock field, it reads uninitialized slots as bounds for a binary search, which can lead to out-of-bounds reads and heap information disclosure. This vulnerability triggers during file open operations without further user interaction. The impact includes denial of service from wild-pointer dereference and potential information disclosure. Version 26.01 addresses this issue.
Potential Impact
The vulnerability can cause denial of service due to wild-pointer dereference and may lead to heap information disclosure. There is no write or code execution capability associated with this flaw. Exploitation requires opening a specially crafted SquashFS archive file. No known exploits have been reported in the wild.
Mitigation Recommendations
Version 26.01 of 7-Zip fixes this vulnerability. Users should upgrade to 7-Zip 26.01 or later to remediate this issue. Since this is not a cloud service, remediation depends on user action to update the software. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in version 26.01.
CVE-2026-48104: CWE-908: Use of Uninitialized Resource in mcmilk 7-Zip
Description
CVE-2026-48104 is a medium severity vulnerability in 7-Zip versions 9. 18 through 26. 00 involving an uninitialized heap read in the SquashFS archive handler. This flaw arises from a sparsely populated index array that leads to reading uninitialized memory during directory parsing. Exploitation requires opening a crafted SquashFS archive, potentially causing denial of service or information disclosure. The issue is fixed in version 26. 01. No known exploits are reported in the wild.
CVSS v3.1
Score 4.2medium
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
7-Zip versions 9.18 to 26.00 contain an uninitialized heap read vulnerability in the SquashFS archive handler. The vulnerability occurs because the _blockToNode array is allocated for every metadata block but only partially populated, leaving many entries uninitialized. When OpenDir uses an attacker-controlled blockIndex derived from the RootInode superblock field, it reads uninitialized slots as bounds for a binary search, which can lead to out-of-bounds reads and heap information disclosure. This vulnerability triggers during file open operations without further user interaction. The impact includes denial of service from wild-pointer dereference and potential information disclosure. Version 26.01 addresses this issue.
Potential Impact
The vulnerability can cause denial of service due to wild-pointer dereference and may lead to heap information disclosure. There is no write or code execution capability associated with this flaw. Exploitation requires opening a specially crafted SquashFS archive file. No known exploits have been reported in the wild.
Mitigation Recommendations
Version 26.01 of 7-Zip fixes this vulnerability. Users should upgrade to 7-Zip 26.01 or later to remediate this issue. Since this is not a cloud service, remediation depends on user action to update the software. Patch status is not explicitly confirmed in the vendor advisory, but the description states the issue is fixed in version 26.01.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-20T18:40:45.836Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a22fdf3e29bf47b50937326
Added to database: 6/5/2026, 4:48:51 PM
Last enriched: 6/5/2026, 5:04:04 PM
Last updated: 6/5/2026, 5:57:53 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.