SUSE SLED15 / SLES15 Security Update : 7zip (SUSE-SU-2026:2696-1)

high Nessus Plugin ID 324876

Synopsis

The remote SUSE host is missing one or more security updates.

Description

The remote SUSE Linux SLED15 / SLED_SAP15 / SLES15 / SLES_SAP15 host has a package installed that is affected by multiple vulnerabilities as referenced in the SUSE-SU-2026:2696-1 advisory.

This update for 7zip fixes the following issues

Update to 26.01:

- CVE-2026-48092: Information disclosure in 32-bit builds due to heap memory disclosure (bsc#1267858).
- CVE-2026-48095: Heap buffer overflow via NTFS compressed stream buffer under-allocation (bsc#1267421).
- CVE-2026-48101: Information Disclosure via uninitialized memory in UEFI capsule parser (bsc#1267859).
- CVE-2026-48102: Information disclosure and denial of service via crafted UDF image (bsc#1267860).
- CVE-2026-48103: off-by-one heap out-of-bounds read (bsc#1267861).
- CVE-2026-48104: Uninitialized heap read in SquashFS archive handler (bsc#1267862).
- CVE-2026-48111: off-by-one out-of-bounds read in ParseDepedencyExpression function (bsc#1267863).
- CVE-2026-48112: heap out-of-bounds read in BSD SYMDEF parser (bsc#1267864).

Changes:

* linux version of 7-Zip can use huge pages (2 MB pages). It can increase compression speed for 10% for 7z/xz/LZMA/LZMA2 compression.
* new -spo[d|c|r] switch specifies the path generation mode for the output directory for archive extraction. The output directory path is generated from the path specified in the -o{dir_path} switch and the name of the archive being unpacked.
-spod : for Linux/Posix/macOS: -o{dir_path} specifies the direct path to the output directory. The asterisk (*) character in {dir_path} will not be replaced by the archive name.
-spoc : 7-Zip will concatenate the path specified in -o{dir_path} with the archive name to form the final path to the output directory.
-spor : 7-Zip will replace asterisk (*) character in the path specified in the -o{dir_path} with the archive name.
This is the default option.
* improved code for ZIP, CPIO, RAR, UFD, QCOW, Compound.
* 7-Zip File Manager: improved sorting order of the file list.
It uses file name as secondary sorting key.:
* 7-Zip File Manager: improved Benchmark to support systems with more than 64 CPU threads.
* bug fixed: 7-Zip could not correctly extract TAR archives containing sparse files

Tenable has extracted the preceding description block directly from the SUSE security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

Solution

Update the affected 7zip package.

See Also

https://bugzilla.suse.com/1267421

https://bugzilla.suse.com/1267858

https://bugzilla.suse.com/1267859

https://bugzilla.suse.com/1267860

https://bugzilla.suse.com/1267861

https://bugzilla.suse.com/1267862

https://bugzilla.suse.com/1267863

https://bugzilla.suse.com/1267864

https://lists.suse.com/pipermail/sle-updates/2026-June/047736.html

https://www.suse.com/security/cve/CVE-2026-48092

https://www.suse.com/security/cve/CVE-2026-48095

https://www.suse.com/security/cve/CVE-2026-48101

https://www.suse.com/security/cve/CVE-2026-48102

https://www.suse.com/security/cve/CVE-2026-48103

https://www.suse.com/security/cve/CVE-2026-48104

https://www.suse.com/security/cve/CVE-2026-48111

https://www.suse.com/security/cve/CVE-2026-48112

Plugin Details

Severity: High

ID: 324876

File Name: suse_SU-2026-2696-1.nasl

Version: 1.1

Type: Local

Agent: unix

Published: 7/2/2026

Updated: 7/2/2026

Supported Sensors: Agentless Assessment, Continuous Assessment, Frictionless Assessment Agent, Frictionless Assessment AWS, Frictionless Assessment Azure, Nessus Agent, Tenable Cloud Security, Tenable Self-Hosted Container Security, Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.9

Percentile: 99.36

CVSS v2

Risk Factor: High

Base Score: 9.4

Temporal Score: 7.4

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:N/A:C

CVSS Score Source: CVE-2026-48092

CVSS v3

Risk Factor: High

Base Score: 8.1

Temporal Score: 7.3

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

Temporal Vector: CVSS:3.0/E:P/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:novell:suse_linux:15, p-cpe:/a:novell:suse_linux:7zip

Required KB Items: Host/local_checks_enabled, Host/cpu, Host/SuSE/release, Host/SuSE/rpm-list

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 6/30/2026

Vulnerability Publication Date: 6/4/2026

Reference Information

CVE: CVE-2026-48092, CVE-2026-48095, CVE-2026-48101, CVE-2026-48102, CVE-2026-48103, CVE-2026-48104, CVE-2026-48111, CVE-2026-48112

IAVA: 2026-A-0525

SuSE: SUSE-SU-2026:2696-1