A newly disclosed vulnerability in 7-Zip, one of the most widely used open-source file archiving tools, could allow remote attackers to execute arbitrary code on affected systems.
The vulnerability resides in how 7-Zip processes XZ-compressed data streams.
7-Zip is used by millions of individuals, businesses, and IT administrators worldwide for compressing and extracting files, making this vulnerability significant despite the user-interaction requirement.
Because 7-Zip handles compressed files by default without deep content inspection, users may unknowingly extract or open a malicious XZ archive believing it to be legitimate.
Users should prioritize patching 7-Zip promptly and maintain cautious file-handling practices to reduce exposure to this and similar threats.
A newly disclosed vulnerability in 7-Zip, one of the most widely used open-source file archiving tools, could allow remote attackers to execute arbitrary code on affected systems. Tracked as CVE-2026-14266, the flaw stems from improper handling of XZ chunked data and has been addressed in the latest software update.
The vulnerability resides in how 7-Zip processes XZ-compressed data streams. Specifically, specially crafted XZ chunked data can trigger a heap-based buffer overflow, a memory corruption issue that occurs when data written to a buffer exceeds its allocated space.
Attackers can exploit this overflow to execute malicious code within the context of the current process, potentially gaining the same privileges as the logged-in user.
Exploitation requires user interaction, meaning an attacker cannot compromise a system remotely without some action from the victim. To trigger the vulnerability, a target must either:
Open a maliciously crafted archive file, or
Visit a malicious webpage designed to deliver the crafted XZ payload
According to the Zero Day Initiative advisory, once the victim opens the file or triggers the associated action, the malformed XZ data causes 7-Zip to overflow the heap buffer, allowing the attacker’s code to execute silently in the background.
7-Zip is used by millions of individuals, businesses, and IT administrators worldwide for compressing and extracting files, making this vulnerability significant despite the user-interaction requirement.
Attackers frequently rely on social engineering tactics, such as phishing emails with malicious attachments, to convince users to open compromised archive files, making this an easily weaponizable flaw for malware delivery, ransomware staging, or initial access in broader attack chains.
Because 7-Zip handles compressed files by default without deep content inspection, users may unknowingly extract or open a malicious XZ archive believing it to be legitimate.
Patch and Mitigation
The vulnerability has been fixed in 7-Zip version 26.02. Users and organizations are strongly urged to:
Update immediately to 7-Zip 26.02 or later
Avoid opening archive files from unknown or untrusted sources
Enable email attachment scanning to catch malicious compressed files before delivery
Educate employees on the risks of opening unsolicited compressed attachments
The vulnerability was discovered and reported by Landon Peng of Lunbun LLC, contributing to the responsible disclosure process that led to a timely patch.
As compression utilities remain a common vector for malware delivery, CVE-2026-14266 serves as a reminder that even trusted, widely deployed software can harbor critical memory-safety flaws. Users should prioritize patching 7-Zip promptly and maintain cautious file-handling practices to reduce exposure to this and similar threats.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.