7-Zip Vulnerability CVE-2026-14266 Allows Remote Code Execution

7-Zip Vulnerability CVE-2026-14266 Allows Remote Code Execution

First seen 17 Jul 2026, 10:24 UTC CybersecuritynewsMallory.AiGbhackersHeise.Dewww.zerodayinitiative.com+1 82% similarity 64.5

Article Content

Browse articles
ThreatCluster

A newly disclosed vulnerability in 7-Zip, tracked as CVE-2026-14266, enables remote code execution via a heap-based buffer overflow when processing crafted XZ chunked data. Attackers can exploit this flaw by tricking users into opening malicious files or visiting compromised websites. The vulnerability has been assigned a CVSS score of 7.0, indicating a high risk due to the required user interaction. The flaw was reported by Landon Peng of Lunbun LLC and disclosed by Trend Micro's Zero-Day Initiative (ZDI) under advisory ZDI-26-444. Users are advised to update to 7-Zip version 26.02, released on June 25, 2026, which contains the necessary patch. As of the publication date, no public proof-of-concept or in-the-wild exploitation has been confirmed. However, the widespread use of 7-Zip heightens the potential impact of this vulnerability.

Key Points: • CVE-2026-14266 allows remote code execution through crafted XZ files. • Users must open malicious files or visit compromised sites to be exploited. • 7-Zip version 26.02 released to patch the vulnerability; users urged to update.

ThreatCluster AI

Timeline

2026-06-25
7-Zip version 26.02 released
The update includes a patch for CVE-2026-14266, addressing the buffer overflow vulnerability.
Mallory.Ai
2026-07-17
CVE-2026-14266 disclosed
The vulnerability was reported by Landon Peng and disclosed by Trend Micro's ZDI, allowing remote code execution.
Heise.De
2026-07-17
Advisory ZDI-26-444 published
Trend Micro's Zero-Day Initiative published an advisory detailing the vulnerability and its implications.
www.zerodayinitiative.com

Community

Browse all →