A flaw in 7-Zip’s XZ decompression could allow attackers to execute arbitrary code when a user opens a malicious archive — the developer released version 26.02 to address the problem.
What the fix in 7-Zip 26.02 does
Version 26.02 of 7-Zip was released to correct a remote code execution vulnerability that affects how the program processes XZ-compressed data. The changes visible in the 26.02 source code indicate the patch adds checks to ensure the decoder cannot write beyond the remaining available space in an output buffer. Those checks are intended to prevent a heap-based buffer overflow that, according to an advisory from the Zero Day Initiative (ZDI), can be triggered by specially crafted XZ data.
How the vulnerability works and how it can be abused
The vulnerability was disclosed by Lunbun researcher Landon Peng. ZDI’s advisory states that specially crafted XZ data can trigger a heap-based buffer overflow, and that overflow "potentially allow[es] attackers to execute arbitrary code as the user." The advisory also notes that exploitation requires user interaction — for example, visiting a malicious web page or opening a malicious archive file — meaning the flaw is not wormable but can be leveraged through social engineering or phishing to install malware on targeted systems.
No automatic update — what users must do
Because 7-Zip does not include an automatic update feature, users will not receive the security fix automatically. The developer’s distribution model requires manual installation: users must download the latest version from 7-zip.org and install it themselves. The advisory and reporting both advise updating to version 26.02 as soon as possible to reduce the risk of future attacks.
Archive vulnerabilities in the wild: recent precedents
Archive-format flaws have been attractive to threat actors. The reporting reminds readers of two incidents in early and later 2025: a 7-Zip vulnerability that allowed malware to bypass Windows' Mark of the Web (MotW) security feature was exploited as a zero-day by Russian hackers, and a separate WinRAR vulnerability tracked as CVE-2025-8088 was used by a Russian hacking group via phishing attacks to install the RomCom malware. Those precedents underscore why archive utilities — especially widely used ones on Windows like 7-Zip — are high-value targets for attackers seeking an entry vector.
What this means for security teams, end users, and attackers
- Security teams and technologists: Confirm which endpoints run 7-Zip, and prioritize manual deployment of 7-Zip 26.02 where the application is present. Given the need for user interaction to exploit the vulnerability, include archive-handling and browser-download controls in relevant detection and response playbooks.
- End users and administrators: Do not assume automatic protection. Download 7-Zip 26.02 from the official site (7-zip.org) and install it manually. Be cautious about opening archives received by email or downloaded from untrusted sites, since exploitation requires some user action such as opening a malicious archive.
- Adversaries and threat actors: The vulnerability is a plausible vehicle for phishing- and archive-based delivery of malware. While there are currently no reports of active exploitation of this newly disclosed flaw, past use of archive vulnerabilities demonstrates the technique’s effectiveness when weaponized.
Developer notes in the 26.02 source indicate the patch targets how 7-Zip tracks available space while decompressing XZ data to prevent writes beyond an output buffer’s remaining capacity. The developer has not published a detailed technical write-up of the underlying flaw; analysis in public advisories and the source-code change set is the basis for the public description of the issue.
There are currently no reports that attackers are actively exploiting this newly disclosed 7-Zip vulnerability. Still, because exploitation only requires a convincing lure — a malicious archive or a crafted web page — and because 7-Zip remains one of the most widely used archive utilities on Windows, administrators and users are advised to apply the 26.02 update without delay.




