← All stories
● Covered by 1 source · 1 reportMedium impact

7-Zip 26.02 released to address serious remote code execution flaw

Aggregated by BrevFeed security · updated 5h ago
🔖 Save

7-Zip 26.02 was released to address a remote code execution vulnerability linked to XZ-compressed data. The issue could allow attackers to execute arbitrary code if users open malicious archives, emphasizing the need for timely updates due to the software's popularity.

Key points

Release of 7-Zip 26.02

7-Zip has released version 26.02 to fix a critical remote code execution vulnerability. This flaw allows attackers to execute malicious code when users open specially crafted XZ-compressed files.

Details of the Vulnerability

The vulnerability was disclosed by researcher Landon Peng and involves a heap-based buffer overflow in how 7-Zip processes XZ data. Affected systems could potentially allow attackers to run arbitrary code under the user's permissions.

Patch Implementation

The patch includes modifications to prevent the decoder from writing beyond the available space in an output buffer, thus mitigating the heap overflow risk. Technical details of the flaw have not been publicly disclosed.

User Risks and Exploitation Potential

Exploitation of this vulnerability requires user interaction, such as opening a malicious archive. 7-Zip's widespread usage makes it a prime target for threats, and past incidents indicate that such vulnerabilities have been successfully exploited in phishing attacks.

Importance of Manual Updates

Since 7-Zip lacks an automatic update feature, users need to manually download the new version from 7-zip.org. Users are advised to update promptly to improve security and reduce the risk of malware installation.

✨ This summary was generated by AI from the outlets' reporting listed below. It is not independently verified and may contain errors — check the original sources. How BrevFeed works →

Primary sources

CVE CVE-2025-80888.8 HIGH

Reporting from

7-Zip 26.02 was released to address a remote code execution vulnerability linked to XZ-compressed data. The issue could allow attackers to execute arbitrary code if users open malicious archives, emphasizing the need for timely updates due to the software's popularity.