Mountain View, 17 July 2026
The archiver 7-Zip has been released in the new version 26.02 and closes a dangerous security vulnerability that allows the injection of malicious code when opening manipulated XZ archives.
What makes the 7-Zip vulnerability so dangerous
The Zero Day Initiative (ZDI) from Trend Micro had publicly disclosed the vulnerability. It is a heap buffer overflow triggered during the processing of XZ chunk data. According to ZDI, it is sufficient to visit a malicious page or open a malicious file to trigger the exploit. „eine bösartige Seite aufrufen oder eine bösartige Datei öffnen", the report states.
Attackers can exploit the vulnerability to execute hidden malicious code embedded in specially crafted archive files without users noticing. However, user interaction is required – the file must be actively opened. If successful, the malicious code then runs in the context of the current process.
The discoverer of the vulnerability is ZDI. It was reported to 7-Zip developer Igor Pavlov on 5 June. He released a patch on 25 June with version 26.02. ZDI published its advisory on 15 July. The release notes for 7-Zip 26.02 do not name the vulnerability explicitly, but merely state that „einige Fehler und Sicherheitslücken behoben" were fixed.
