Skip to content

Security: p7zip dependency vulnerable to CVE-2026-48095 (Heap buffer overflow in NTFS handler) #954

Description

@Mr-xn

Description

binwalk depends on p7zip (17.05/17.06), which is affected by CVE-2026-48095 — a heap buffer overflow vulnerability in the NTFS archive handler that can lead to remote code execution.

The vulnerability was fixed in 7-Zip 26.01 (2026-04-27), but p7zip is no longer actively maintained and will not receive this fix.

Current State

  • p7zip: Last release 17.06 (2019), unmaintained
  • sevenzip (official 7-Zip CLI): Actively maintained, current version 26.01

Suggestion

Consider migrating the dependency from p7zip to sevenzip (the official 7-Zip CLI for Linux/macOS).

In Homebrew, sevenzip provides the 7zz command as a drop-in replacement.

References

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions