7-Zip Linux Vulnerabilities — What Administrators Should Know¶
Introduction¶
7-Zip is widely used on Linux systems for archive handling in scripts, pipelines, CI/CD jobs, and administrative workflows. Several high-severity vulnerabilities have been disclosed in 7-Zip between 2024 and 2026, ranging from remote code execution via crafted archives to directory traversal and heap buffer overflows.
This article covers the four most significant recent 7-Zip vulnerabilities, explains their impact on Linux environments, and provides clear steps to check your version and apply patches.
Vulnerability Summary¶
| CVE | Type | Severity | Affected Versions | Fixed In |
|---|---|---|---|---|
| CVE-2026-48095 | Heap buffer overflow (NTFS parser) | High | 7-Zip 26.00 | 7-Zip 26.01 |
| CVE-2025-11001 | Directory traversal (ZIP) | High (CVSS 7.0) | Prior to 7-Zip 25.00 | 7-Zip 25.00 |
| CVE-2025-11002 | Directory traversal (ZIP) | High (CVSS 7.0) | Prior to 7-Zip 25.00 | 7-Zip 25.00 |
| CVE-2024-11477 | Integer underflow — RCE (Zstandard) | High (CVSS 7.8) | Prior to 7-Zip 24.07 | 7-Zip 24.07 |
What Is Affected?¶
CVE-2026-48095 — Heap Buffer Overflow in NTFS Parser¶
A heap buffer overflow exists in 7-Zip version 26.00 in the NTFS image handler. A shift expression with an exponent of 32 causes undefined behaviour in buffer size calculation, leading to a heap buffer write overflow.
What makes this particularly notable is that the NTFS parser is not limited to .img or .ntfs files. Multiple archive formats can route to the NTFS parser through signature-based fallback logic. Files with .7z, .zip, or .rar extensions can trigger this vulnerability if they are crafted appropriately.
Fixed in: 7-Zip 26.01 (released April 27, 2026)
CVE-2025-11001 and CVE-2025-11002 — Directory Traversal in ZIP Handling¶
Two directory traversal vulnerabilities in 7-Zip's ZIP file parsing allow a crafted archive to write files outside the intended extraction directory. The decompression logic incorrectly handles absolute Windows-style paths (such as C:\Windows\System32) as relative paths, bypassing safety checks.
On Linux, the practical impact differs from Windows. The risk is highest when:
- 7-Zip is used in automated scripts running with elevated privileges
- Archives are extracted from untrusted sources in CI/CD pipelines
- The extraction target directory has broad write permissions
Active exploitation was observed in the wild for these vulnerabilities.
Fixed in: 7-Zip 25.00 and later
CVE-2024-11477 — Integer Underflow in Zstandard Decompression¶
An integer underflow before a memory write in 7-Zip's Zstandard decompression implementation can allow remote code execution when processing a crafted archive. The issue is caused by a lack of validation of user-supplied data (CWE-191).
This vulnerability was disclosed in November 2024 and affects any 7-Zip installation prior to version 24.07.
Fixed in: 7-Zip 24.07 and later
Why This Matters for Linux Administrators¶
7-Zip vulnerabilities are often underestimated on Linux because 7-Zip is associated with Windows. However, 7-Zip is present in many Linux environments:
- Installed via package managers (
p7zip,p7zip-full) on Debian and Ubuntu systems - Used in build pipelines and CI/CD runners for archive extraction
- Used by script-driven backup or packaging workflows
- Present in Docker build images as a dependency
Any workflow that accepts archive files from untrusted or external sources and processes them with a vulnerable 7-Zip version is at risk. Remote code execution via CVE-2024-11477 requires only that a malicious Zstandard-compressed archive is decompressed.
How to Check Your System¶
Check the 7-Zip version — Debian and Ubuntu (p7zip)¶
dpkg -l | grep p7zip
ii p7zip-full 21.07+dfsg-4 amd64 7z and 7za command-line utilities
Also check the binary directly:
7z --help 2>&1 | head -3
7-Zip 24.08 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2024-08-11
Check the 7-Zip version — RHEL/Fedora/Rocky/AlmaLinux¶
rpm -qa | grep p7zip
p7zip-16.02-21.el9.x86_64
Check if 7-Zip is installed at a non-standard path¶
which 7z 7za 7zr 2>/dev/null
find /usr /opt /home -name "7z" -o -name "7za" 2>/dev/null
Check 7-Zip usage in CI/CD pipelines¶
If you manage CI/CD infrastructure, check whether any pipeline steps extract archives using 7-Zip:
grep -rn "7z\|p7zip\|7za" /etc/jenkins /var/lib/jenkins /opt/gitlab-runner 2>/dev/null | head -20
How to Patch or Mitigate¶
Option 1: Update via package manager (recommended where available)¶
Note that distribution-packaged versions of p7zip may lag behind upstream 7-Zip releases. Always verify the version after updating.
Ubuntu and Debian:
sudo apt update
sudo apt upgrade p7zip p7zip-full
RHEL, Rocky Linux, AlmaLinux, Fedora:
sudo dnf update p7zip
After updating, verify the version:
7z --help 2>&1 | head -2
Option 2: Install directly from the 7-Zip official release¶
If your distribution's package is outdated, you can install the official binary directly from the 7-Zip project:
7z --help 2>&1 | head -2
Verify the version shown is 26.01 or later. Check the 7-Zip official download page for the current Linux release.
Option 3: Restrict 7-Zip usage in automated workflows¶
If an immediate update is not possible, limit exposure:
- Do not extract archives from untrusted or external sources using vulnerable versions
- Run 7-Zip extraction steps in isolated environments with minimal privileges
- Review pipeline scripts that automatically process uploaded or downloaded archives
How to Verify the Fix¶
After updating, confirm the installed version is patched:
7z --help 2>&1 | head -2
7-Zip 26.01 (x64) : Copyright (c) 1999-2024 Igor Pavlov : 2026-04-27
- For CVE-2026-48095: version must be 26.01 or later
- For CVE-2025-11001 / CVE-2025-11002: version must be 25.00 or later
- For CVE-2024-11477: version must be 24.07 or later
Distribution-Specific Notes¶
Ubuntu and Debian¶
The p7zip and p7zip-full packages in official Ubuntu and Debian repositories may not track the latest upstream 7-Zip releases closely. Always verify the version after updating and consider whether the packaged version contains backported security fixes.
Check the Ubuntu Security Notices portal for USNs referencing 7-Zip or p7zip CVEs.
RHEL, Rocky Linux, and AlmaLinux¶
The p7zip package in EPEL may lag behind upstream releases. Check the EPEL repository for updated versions:
sudo dnf updateinfo list security | grep p7zip
Docker images¶
If your Docker build images include p7zip or 7-zip, rebuild them with an updated base image or explicitly install the patched version in your Dockerfile. Scan images using a vulnerability scanner to identify unpatched installations.
Common Mistakes¶
- Assuming 7-Zip is only a risk on Windows. The Linux port is equally affected by these vulnerabilities.
- Checking only the system package without checking manually installed binaries. Build tools and CI runners often bundle their own 7-Zip installation separate from the system package manager.
- Not checking Docker images and containers. A vulnerable
p7zipinside a container image still poses a risk when processing untrusted archives. - Treating directory traversal as low-risk on Linux. While the Windows-specific path handling reduces impact on Linux, scripts running with elevated privileges that extract untrusted archives are still exposed.
Quick Checklist¶
- [ ] Check all Linux systems for installed 7-Zip or p7zip versions
- [ ] Check CI/CD runners and build environments
- [ ] Check Docker and container images
- [ ] Update to 7-Zip 26.01 or later to address all four CVEs
- [ ] Verify the installed version with
7z --help - [ ] Review pipeline scripts for unvalidated archive extraction from external sources
- [ ] Avoid extracting untrusted archives with elevated privileges
Related Guides¶
- Latest Linux Vulnerabilities Administrators Should Watch
- Linux Patch Management Security
- DNF Security Updates
- Container Security Context
References¶
- NVD — CVE-2024-11477
- NVD — CVE-2025-11001
- NVD — CVE-2025-11002
- SocPrime — CVE-2026-48095 7-Zip Heap Overflow
- ThreatLocker — CVE-2025-11001 and CVE-2025-11002 Analysis
- 7-Zip Official Download
Summary¶
Four high-severity vulnerabilities have been disclosed in 7-Zip between 2024 and 2026. CVE-2024-11477 allows remote code execution via crafted Zstandard archives. CVE-2025-11001 and CVE-2025-11002 allow directory traversal via crafted ZIP files and were actively exploited. CVE-2026-48095 is a heap buffer overflow in the NTFS parser triggerable through multiple archive formats. All four vulnerabilities are fixed in 7-Zip 26.01. Check all systems, CI runners, and container images for vulnerable p7zip or 7-zip installations and update immediately.