7-Zip 26.02 patches code-execution flaw triggered by malicious archives
Users of 7-Zip should install version 26.02, which addresses a remote code execution vulnerability in the popular Windows archiving utility. The flaw could allow an attacker to run arbitrary code afte...
Users of 7-Zip should install version 26.02, which addresses a remote code execution vulnerability in the popular Windows archiving utility. The flaw could allow an attacker to run arbitrary code after a victim opens a specially crafted archive or visits a page designed to deliver malicious XZ-compressed data.
The issue was reported by Lunbun researcher Landon Peng and described in an advisory from the Zero Day Initiative. It affects 7-Zip’s handling of XZ data and stems from a heap-based buffer overflow. Although the project has not released detailed technical documentation, changes in the new source code indicate that the fix adds safeguards around the amount of space available during decompression. These checks are intended to prevent the decoder from writing beyond the bounds of its output buffer.
Manual installation required
7-Zip does not provide an automatic update mechanism, so existing installations will not receive the patch on their own. Users should download and install version 26.02 from the project’s official website, 7-zip.org. Organizations can also use their approved software-management tools where appropriate, while verifying that packages come from trusted sources.
Exploitation requires user interaction, such as opening a malicious archive. That requirement does not eliminate the risk: attackers commonly use phishing messages, compromised websites, and social-engineering tactics to persuade victims to handle booby-trapped files.
Archive-processing vulnerabilities have previously been used in real-world attacks. A 7-Zip weakness exploited in 2025 allowed malware to bypass Windows’ Mark of the Web protections, while a separate WinRAR vulnerability was later used in phishing campaigns to distribute RomCom malware.
There are no current reports that this newly fixed 7-Zip vulnerability is being exploited in the wild. Nevertheless, because the application is widely deployed and does not update automatically, prompt patching is recommended to reduce exposure to future attacks.
