CVE-2026-48095 is a 7-Zip NTFS handler heap overflow fixed in 7-Zip 26.01. If you use 7-Zip to open files from email, downloads, shared folders, game mods, cracked installers, or unknown senders, update from the official 7-Zip download page and avoid testing suspicious archives on your main Windows profile.
If your concern is broader than this 7-Zip CVE, see our plain-language guide to whether opening a ZIP or RAR file can infect your PC; it separates viewing an archive from extracting or running its contents.
The important detail for ordinary users is not the exploit technique. The risk is that a crafted NTFS image may still reach the vulnerable handler even when the file name does not obviously look like a disk image. Treat unexpected archives, renamed files, and password-protected attachments as untrusted until they are scanned and verified.
What Happened
GitHub Security Lab published advisory GHSL-2026-140 on May 22, 2026 for a heap buffer write overflow in 7-Zip. The advisory assigns the issue CVE-2026-48095, says the tested vulnerable build was 7-Zip 26.00, and states that versions through 26.00 are affected. The fix was released in 7-Zip 26.01 on April 27, 2026.
| Item | What to know |
|---|---|
| CVE | CVE-2026-48095 / GHSL-2026-140 |
| Affected area | 7-Zip NTFS archive handler |
| Affected versions | Versions through 26.00, according to GitHub Security Lab |
| Fixed version | 7-Zip 26.01 |
| Main user action | Update 7-Zip and avoid opening untrusted archives directly |
Why Renamed Files Matter
Many people think an archive risk is limited to files ending in .7z, .zip, .rar, or .img. This advisory is a reminder that file content matters too. GitHub Security Lab notes that 7-Zip can try handlers by signature after the extension-matched handler fails, so a crafted NTFS image may still be routed to the NTFS handler even under another extension.
That does not mean every renamed file is malicious. It means you should not use the filename as proof of safety. A file named like an invoice, mod, crack, driver, or document can still contain unexpected archive or image content.
What Windows Users Should Do
- Update 7-Zip to 26.01 or later. Use the official 7-Zip site or the official GitHub release linked from it. Avoid third-party download portals and bundled installers.
- Check the installed version. Open 7-Zip File Manager, choose Help, then About 7-Zip. If it shows 26.00 or older, update.
- Do not test unknown archives on your daily account. If a file came from a random download, Discord message, torrent, cracked software package, fake update prompt, or unsolicited email, do not open it just to see what happens.
- Scan suspicious files first. Use a local security scan and a second-opinion check before extracting. Gridinsoft Anti-Malware can inspect downloaded archives and files before they are opened, and Gridinsoft Online Virus Scanner is useful for checking a single suspicious file hash or upload.
- Delete the source file if the origin is untrusted. Updating 7-Zip reduces this specific risk, but it does not make a malicious attachment, fake installer, or trojanized archive safe.
When to Be Extra Cautious
Use stricter handling when the archive or attachment has any of these signals:
- It came from a sender you did not expect.
- It is password-protected and the password was supplied in the message body.
- The file type does not match the context, such as a supposed PDF that opens in an archiver.
- It came with instructions to disable antivirus or run as administrator.
- It was downloaded from a fake update page, cracked software site, mod mirror, or ad redirect.
If you already opened a suspicious archive and Windows Defender or another scanner later flagged the extracted content, keep the item quarantined and follow a cleanup workflow. Related cases often appear as archive-triggered Defender alerts, such as Trojan:Script/Conteban.A!ml, or as self-extracting archive abuse, such as SFX archives launching PowerShell.
Updating the vulnerable app is the first step. If you already extracted and ran a file from an unknown archive, scan the PC for dropped payloads, startup entries, and persistence.
Ran a file from a suspicious archive? Scan the PCWhat Not to Do
- Do not paste or run public proof-of-concept code from advisory discussions.
- Do not rely on file extensions alone to decide whether something is safe.
- Do not install 7-Zip updates from ads, mirror sites, or software bundles.
- Do not restore quarantined files just because the archive name looks familiar.
Safe Handling Checklist
| Situation | Best action |
|---|---|
| You have 7-Zip 26.00 or older | Update to 26.01 or later from the official download page. |
| You received an unexpected archive | Do not open it. Verify the sender and scan it first. |
| A file extension looks wrong | Treat it as suspicious and check the file before opening. |
| You already extracted files | Run a full scan and remove suspicious extracted content. |
| A scanner flags the archive or extracted file | Leave it quarantined and avoid restoring it unless you have a confirmed false positive. |
FAQ
Is CVE-2026-48095 being exploited in the wild?
At publication time, the strongest public source is the GitHub Security Lab advisory and public discussion around the proof of concept. The safer user action is the same either way: update 7-Zip and avoid opening untrusted archives.
Does this only affect files ending in .ntfs or .img?
No. The advisory says the NTFS handler may be reached through signature-based fallback detection, so a crafted NTFS image may not need an obvious NTFS-related extension.
Is uninstalling 7-Zip required?
No. For most users, updating to 7-Zip 26.01 or later is the right fix. Uninstalling is only reasonable if you do not need an archiver or cannot update on a managed system.
Should I open old archives again after updating?
Do not reopen old suspicious archives just to test them. If the source was untrusted, delete the file or scan it first in a controlled way.
