7-Zip has released version 26.02 to address a remote code execution vulnerability in how the popular archive utility processes XZ-compressed data. Attackers who convince a user to open a specially crafted compressed file could trigger the flaw to execute arbitrary code with the privileges of the logged-in user.

The vulnerability was disclosed by researcher Landon Peng of Lunbun and detailed in an advisory from the Zero Day Initiative. According to the advisory, specially crafted XZ data can cause a heap-based buffer overflow during decompression, allowing an attacker to run code as the user opening the file.

7-Zip’s developer has not published technical details of the bug, but changes in the 26.02 source code point to an issue in how the program tracks available space while decompressing XZ streams. The patch adds bounds checks to prevent the decoder from writing past the remaining space in the output buffer, closing off the overflow condition.

Exploitation requires user interaction, such as opening a malicious archive file or visiting a page that delivers one, according to the advisory.

No automatic update mechanism

7-Zip does not include a built-in auto-update feature, so users will not receive this fix automatically. Anyone running the tool needs to manually download and install version 26.02 from the official 7-zip.org site.

Because 7-Zip is one of the most widely deployed archive utilities on Windows, vulnerabilities in its parsing code are attractive to threat actors, who can weaponize them through phishing or social engineering campaigns that trick victims into opening booby-trapped archives.

This concern is not theoretical. In early 2025, a separate 7-Zip flaw that allowed malware to bypass Windows’ Mark of the Web protection was exploited as a zero-day by Russian threat actors. Later that year, a Russian hacking group exploited a WinRAR vulnerability, tracked as CVE-2025-8088, via phishing emails to deploy the RomCom malware.

There are currently no reports of active exploitation of this newly disclosed 7-Zip vulnerability. Still, given the history of archive-utility bugs being weaponized quickly, users and administrators are advised to update to 7-Zip 26.02 as soon as possible.