7-Zip Ships Emergency Fix for Flaw That Lets Booby-Trapped Archives Run Code
Version 26.02 patches a heap buffer overflow in XZ decompression. There is no auto-update, so users have to grab it themselves.

Key points
- 7-Zip released version 26.02 to fix a remote code execution flaw in how it handles XZ-compressed data.
- The bug was reported by Lunbun researcher Landon Peng and disclosed through the Zero Day Initiative.
- Exploiting it requires a user to open a booby-trapped archive or visit a malicious page.
- 7-Zip has no automatic updater, so users must download the new version manually from 7-zip.org.
- No active attacks have been reported yet, but past 7-Zip and WinRAR flaws were used by Russian hackers in 2025.
7-Zip, the free file-compression tool used by millions of people on Windows, has pushed out an urgent update. The new version, 26.02, closes a security hole that could let an attacker take over a computer if the user simply opens the wrong file.
The flaw sits in how 7-Zip unpacks XZ files, a common compressed file format similar to ZIP. A researcher named Landon Peng, working with a company called Lunbun, found that a specially built XZ file can trick the program into writing data into parts of memory it should never touch. That mistake, known as a heap-based buffer overflow, can be steered by an attacker to run their own code on the victim's machine.
The report was handled by the Zero Day Initiative, a program run by Trend Micro that pays researchers for bug reports and coordinates fixes with vendors.
What does this mean for someone who just uses 7-Zip at home or work?
You need to update, but you will not get a pop-up telling you to. 7-Zip has no automatic update feature. That means every copy out there stays vulnerable until the person using it goes to 7-zip.org and installs the new version by hand.
The attack is not silent. Someone has to open a malicious archive, or visit a page that serves one, for the flaw to fire. That sounds reassuring until you remember how often people do exactly that after clicking a link in an email.
As first reported by BleepingComputer, the developer has not published a deep technical writeup. But the source code changes in 26.02 line up with the theory: the patch adds checks so the decoder cannot write past the space it has been given in memory.
Has this kind of thing happened before?
Yes, and recently. In early 2025, attackers linked to Russia used a different 7-Zip bug as a zero-day, meaning a flaw the vendor did not yet know about, to slip past a Windows safety feature called Mark of the Web that warns users when they open files downloaded from the internet.
Later in 2025, a Russian group exploited a WinRAR flaw tracked as CVE-2025-8088 to install malware called RomCom through phishing emails, the fake messages criminals send to trick staff into opening dodgy attachments.
So the pattern is well established. Archive tools are on almost every Windows machine. They are trusted. And they are a favourite delivery route for malware, which is software designed to do harm.
What should you actually do?
Open 7-Zip. Check the version. If it is anything older than 26.02, go to 7-zip.org and install the latest release. If you run IT for a company, push the update out through whatever software management tool you use, and remind staff not to open compressed files from senders they do not know.
There are no reports of anyone attacking this bug in the wild yet. That is the good news. The less good news is that details are now public, patches can be reverse-engineered, and the clock has started.
This is a plain authentication-adjacent problem in the loosest sense: the program trusts the file it is asked to open. Multi-factor authentication would not have helped here. Patching will.



