Close Menu

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    What's Hot

    The Future of Age Verification: Your Face Never Leaves Your Device

    July 18, 2026

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    July 18, 2026
    Facebook X (Twitter) Instagram
    • Demos
    • Technology
    • Gaming
    • Buy Now
    Facebook X (Twitter) Instagram Pinterest Vimeo
    Canadian Cyber WatchCanadian Cyber Watch
    • Home
    • News
    • Alerts
    • Tips
    • Tools
    • Industry
    • Incidents
    • Events
    • Education
    Subscribe
    Canadian Cyber WatchCanadian Cyber Watch
    Home»News»Update now: 7-Zip fixes RCE flaw exploitable with malicious archives
    News

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    adminBy adminJuly 18, 2026No Comments2 Mins Read
    Share Facebook Twitter Pinterest LinkedIn Tumblr Reddit Telegram Email
    Share
    Facebook Twitter LinkedIn Pinterest Email


    7-Zip

    7-Zip version 26.02 was released to fix a remote code execution vulnerability that could allow attackers to execute malicious code by convincing users to open specially crafted compressed files.

    The vulnerability, disclosed by Lunbun researcher Landon Peng, exists in 7-Zip’s processing of XZ-compressed data.

    According to an advisory from the Zero Day Initiative, specially crafted XZ data can trigger a heap-based buffer overflow, potentially allowing attackers to execute arbitrary code as the user.

    image

    While the developer has not published technical details about the flaw, the changes in the 26.02 source code suggest it is related to how 7-Zip tracks available space while decompressing XZ data.

    The patch adds checks to ensure the decoder cannot write beyond the remaining available space in an output buffer, helping prevent a heap-based buffer overflow.

    The advisory states that exploitation requires user interaction, such as visiting a malicious page or opening a malicious archive file.

    No automatic update feature

    As 7-Zip does not include an automatic update feature, users will not receive the security fix automatically. Instead, they must install it manually by downloading the latest version from the program’s official site, 7-zip.org.

    Because 7-Zip is one of the most widely used archive utilities on Windows, security flaws impacting its archive features are an attractive target to threat actors.

    A phishing campaign or social engineering attack could be used to distribute a malicious archive that exploits the flaw to install malware on vulnerable systems.

    This is not far-fetched, as archive vulnerabilities, including those in 7-Zip, have been exploited in past attacks.

    In early 2025, a 7-Zip vulnerability that allowed malware to bypass Windows’ Mark of the Web (MotW) security feature was exploited by Russian hackers as a zero-day.

    Later that same year, a Russian hacking group exploited a WinRAR vulnerability tracked as CVE-2025-8088 via phishing attacks to install the RomCom malware.

    There are currently no reports that attackers are actively exploiting this newly disclosed 7-Zip vulnerability.

    However, users are advised to update to version 26.02 as soon as possible to reduce the risk of future attacks.


    article image

    Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

    The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

    Get the whitepaper



    Source link

    Share. Facebook Twitter Pinterest LinkedIn Tumblr Email
    Previous ArticleAncient Princesses Were Weapon-Wielding Badasses, Scientists Discover
    Next Article WordPress Core “wp2shell” RCE flaws get public exploits, patch now
    admin
    • Website

    Related Posts

    News

    The Future of Age Verification: Your Face Never Leaves Your Device

    July 18, 2026
    News

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026
    News

    Ancient Princesses Were Weapon-Wielding Badasses, Scientists Discover

    July 18, 2026
    Add A Comment

    Comments are closed.

    Demo
    Top Posts

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Stay In Touch
    • Facebook
    • YouTube
    • TikTok
    • WhatsApp
    • Twitter
    • Instagram
    Latest Reviews
    85
    Featured

    Pico 4 Review: Should You Actually Buy One Instead Of Quest 2?

    January 15, 2021 Featured
    8.1
    Uncategorized

    A Review of the Venus Optics Argus 18mm f/0.95 MFT APO Lens

    January 15, 2021 Uncategorized
    8.9
    Editor's Picks

    DJI Avata Review: Immersive FPV Flying For Drone Enthusiasts

    January 15, 2021 Editor's Picks

    Subscribe to Updates

    Get the latest tech news from FooBar about tech, design and biz.

    Demo
    Most Popular

    Catchy & Intriguing

    March 17, 202677 Views

    The Canadian Password Playbook: Navigating Compliance and Building Strong Passwords

    March 25, 202634 Views

    IP Address Investigations and Local OSINT

    March 20, 202634 Views
    Our Picks

    The Future of Age Verification: Your Face Never Leaves Your Device

    July 18, 2026

    WordPress Core “wp2shell” RCE flaws get public exploits, patch now

    July 18, 2026

    Update now: 7-Zip fixes RCE flaw exploitable with malicious archives

    July 18, 2026

    Subscribe to Updates

    Get the latest creative news from FooBar about art, design and business.

    Facebook X (Twitter) Instagram Pinterest
    • Home
    • Technology
    • Gaming
    • Phones
    • Buy Now
    © 2026 ThemeSphere. Designed by ThemeSphere.

    Type above and press Enter to search. Press Esc to cancel.