7-Zip 26.02 patches XZ heap overflow, no auto-update
7-Zip 26.02 fixes a heap-based buffer overflow in XZ decompression (ZDI-26-444) — RCE if a user opens a crafted archive, and there is no automatic update.
7-Zip 26.02 shipped today with a fix for a heap-based buffer overflow in the XZ decompression path. The write-up is Zero Day Initiative advisory ZDI-26-444; BleepingComputer’s coverage went up a few hours after the release. Credit to Landon Peng at Lunbun LLC, who reported it to Igor Pavlov on 2026-06-05 and disclosed publicly on 2026-07-15. A CVE has been assigned but has not landed on NVD or MITRE yet — I’m not going to print the number until it does, because half the mis-cited CVEs on the internet come from repeating a placeholder somebody read once and never checked again.
What changed
ZDI rates it 7.0, high. The parser mishandles specially crafted XZ chunked data and overflows a heap buffer, giving an attacker the ability to execute code in the context of the user who opened the file. No privileges required to trigger it. User interaction is required — someone has to actually open the archive or visit a page that loads it into a viewer wired up to 7-Zip. Attack complexity is high, which is ZDI’s way of saying it’s not a one-liner to make it fire on demand across every build; that is not a reason to relax.
No active exploitation has been reported. That was also true of the 7-Zip parser bugs that Russian threat actors picked up and ran with in 2025. The honest timeline on parser flaws in an archiver installed on tens of millions of endpoints is measured in weeks, not quarters.
What to actually do
- Push 26.02 to every managed Windows endpoint you own. 7-Zip does not have an auto-updater. If your MDM/config-management doesn’t already have a 7-Zip package definition, this is your reminder to add one — the tool ships on developer, admin, and analyst boxes across every org I’ve worked with, and none of it phones home.
- Sweep your build agents, sandbox VMs, and forensic workstations. These are the machines that open untrusted archives for a living. They also tend to run whatever 7-Zip version was installed the day the image was cut. Rebuild the base image or push the MSI, don’t just tell the team to update.
- Check
%ProgramFiles%\7-Zip\7z.dllversion on any host you can’t push a package to. 7-Zip runs from a lot of side-loaded install directories. Version string of the DLL is authoritative; the shortcut in the Start menu is not. - Do not treat this as more urgent than the KEV work in your queue this week. SharePoint CVE-2026-58644 and the two Fortinet FortiSandbox additions are unauth RCEs against internet-exposed services with confirmed exploitation. The 7-Zip bug requires a user to open a file. Priority order matters.
Priority call
Patch it inside your standard weekly window. Move it up if your users routinely open archives from untrusted sources — recruiter attachments, sample code from candidates, malware samples, vendor-supplied firmware bundles. That population is small, high-value, and exactly the target profile the 2025 campaigns hit.
The thing worth saying out loud: 7-Zip is one of the load-bearing bits of Windows tooling that ships without any of the delivery infrastructure the modern patch conversation assumes. There is no update daemon, no signed update channel wired to WSUS, no browser-style silent update. Every time one of these parser flaws lands, some percentage of the install base will still be running the vulnerable build next year. If you own the endpoint policy, the answer is a package. If you don’t, the answer is telling your users, in one sentence, to open 7-Zip and check Help → About and update if the number isn’t 26.02.
Sourcing
- Zero Day Initiative: ZDI-26-444, 7-Zip XZ Decompression Heap-based Buffer Overflow Remote Code Execution Vulnerability
- BleepingComputer: Update now — 7-Zip fixes RCE flaw exploitable with malicious archives — 2026-07-18
- 7-Zip download page
- Related: HollowByte: 11-byte OpenSSL DoS — another this-week disclosure where the interesting story is the release plumbing, not the bug itself
Found this useful? Share it.