Skip to main content
LiMP VPN
All news

7-Zip Flaw Allows Code Execution — Update to 26.02

7-Zip Flaw Allows Code Execution — Update to 26.02

In short: A critical flaw in 7-Zip, the hugely popular free archiver, was publicly disclosed on 15 July 2026. Tracked as CVE-2026-14266, it lets a specially crafted archive run arbitrary code on your computer with your own privileges. A fix shipped in version 26.02 — but 7-Zip has no auto-update, so millions of installations stay vulnerable until users update by hand. The single most important step: install 7-Zip 26.02 or later now.

What happened

On 15 July 2026, Trend Micro's Zero Day Initiative published advisory ZDI-26-444 for a new 7-Zip vulnerability, CVE-2026-14266. The flaw was reported to the developer on 5 June 2026 by researcher Landon Peng of Lunbun LLC, and under coordinated disclosure a patched build — 7-Zip 26.02 — was released before the details went public. The bug carries a CVSS score of 7.0 (high).

It is the second dangerous archiver flaw we have covered in a short span: earlier we wrote about a similar remote-code-execution hole in WinRAR. Archiving tools are an attractive target precisely because almost everyone has one installed and opens attachments through it without a second thought.

What the vulnerability actually is

CVE-2026-14266 is a heap-based buffer overflow in how 7-Zip parses XZ chunked data. When 7-Zip processes a specially crafted XZ stream, it can write beyond the boundary of an allocated memory buffer — a memory-corruption condition that an attacker can steer into running their own code within the security context of the current 7-Zip process. In practice that means the malicious code runs with the same rights as the user who opened the file.

Crucially, exploitation requires user interaction. An attacker cannot break in silently; the victim has to open a booby-trapped archive, or visit a malicious webpage crafted to deliver the XZ payload. That is a lower bar than it sounds, because opening an archive is exactly what people do dozens of times a day without thinking.

Why this is dangerous for your data

7-Zip is one of the most widely used programs on Windows PCs, and it does not update itself. Many people install it once and never touch it again, so a flaw fixed in a new release can stay wide open on their machine for months or years. All an attacker needs is to get you to open one file — a fake invoice, a "document" from a colleague, a download from a dubious site.

Once code runs under your account, the consequences are the usual ones: passwords lifted from the browser, banking and email sessions hijacked, files encrypted by ransomware, or a quiet backdoor left behind. The more of your data has already leaked elsewhere — as in the billion-record infostealer leak we reported — the more precisely such an attack can be aimed at you.

How to protect yourself

Update 7-Zip to 26.02 or later. 7-Zip has no built-in updater, so download the current version from the official site (7-zip.org) and reinstall over the old one. This is the only step that actually closes the hole.

Do not open archives from untrusted sources. The attack needs you to open a malicious file, so treat unexpected .7z, .zip and especially .xz attachments with suspicion — our guide on protecting accounts from hijacking covers the warning signs.

Use a password manager and two-factor authentication. If code does run on your machine, unique passwords in a password manager plus 2FA limit how far an attacker can get with what they steal.

Encrypt your connection on untrusted networks. A VPN does not patch a program flaw — only the update does that. But it complements patching: on public or shared Wi-Fi it routes your traffic through an encrypted tunnel, so others on the same network cannot intercept the logins and sessions you send to banking, mail or work portals. LiMP VPN is a no-logs service for iOS and Android — see the features and plans, and more security news on our blog.

Should I worry if I do not use 7-Zip?

If 7-Zip is not installed, this specific flaw does not affect you — but the lesson generalises. Any archiver, PDF reader or media player that opens files from outside can carry a parsing bug like this. Keep every such tool updated, prefer official download sources, and be wary of unexpected attachments regardless of which program opens them. The habit matters more than the single patch.

Sources

This report is based on the official advisory from Trend Micro Zero Day Initiative (ZDI-26-444), the 7-Zip 26.02 release notes on the project's GitHub, and coverage by Cybersecurity News, July 2026.

7-Zip Flaw Allows Code Execution — Update to 26.02