7-Zip is a file archiver with a high compression ratio. Versions 26.00 and prior contain a heap buffer overflow vulnerability caused by an under-allocation in the NTFS compressed stream buffer (GetCuSize shift UB), potentially allowing attackers to cause arbitrary code execution or application crashes. CInStream::GetCuSize() in the NTFS handler computes the compression-unit buffer size as (UInt32)1 << (BlockSizeLog + CompressionUnit), and a crafted image with ClusterSizeLog >= 28 and CompressionUnit == 4 drives the exponent to 32, which is undefined behavior and collapses on x86/x64 so _inBuf is allocated as 1 byte. ReadStream_FALSE then writes up to 256 MB of attacker-controlled data into that 1-byte buffer in 64 KB iterations, and because the CInStream object sits only 304 bytes after _inBuf, its vtable pointer is overwritten and the next dispatched call achieves a vtable hijack. On 32-bit builds the overflow is unconditionally reached; on 64-bit it requires the parallel 8 GB _outBuf
Casky was already ahead
This CVE exploits attack patterns that Casky's 255matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-48095 is a heap buffer overflow vulnerability in 7-Zip versions 26.00 and prior, affecting the NTFS compressed stream handler. The flaw stems from under-allocation in the CInStream::GetCuSize() function, which miscalculates buffer sizes when processing crafted archive images with specific cluster size parameters. This vulnerability matters because 7-Zip is widely used across enterprises and personal systems for file compression and extraction. Attackers can exploit this by crafting malicious archive files that trigger arbitrary code execution or cause application crashes, potentially compromising systems that process untrusted archives. Users and organizations relying on 7-Zip for routine file operations—from software deployment to data backup—face direct risk if they open adversary-controlled archives.
Casky's 255 mapped security skills leverage Claude AI's extended reasoning to detect the attack patterns underlying this vulnerability across MITRE ATT&CK's Execution (TA0002) and Persistence (TA0003) tactics. Practitioners using Casky would identify suspicious behaviors associated with CWE-190 (integer overflow) and CWE-787 (out-of-bounds write), such as abnormal memory allocation patterns in archive processing workflows, unexpected process spawning following archive extraction, or memory corruption indicators in application logs. The platform's skill mapping would surface detection opportunities at multiple stages: monitoring 7-Zip process creation with suspicious parameters, detecting heap spray attempts, identifying malicious archive delivery mechanisms, and tracking post-exploitation persistence techniques. Security teams would see findings correlating crafted file characteristics (ClusterSizeLog values, compression unit misalignments) with execution anomalies, enabling proactive hunting and incident response before full compromise occurs.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-48095.
Casky has 255 skills that investigate the attack patterns behind CVE-2026-48095. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →analyzing-browser-forensics-with-hindsight
digital forensics · low
analyzing-cobalt-strike-beacon-configuration
malware analysis · medium
analyzing-cobaltstrike-malleable-c2-profiles
malware analysis · medium
analyzing-command-and-control-communication
malware analysis · medium
analyzing-disk-image-with-autopsy
digital forensics · low
analyzing-dns-logs-for-exfiltration
soc operations · low
analyzing-docker-container-forensics
digital forensics · low
analyzing-email-headers-for-phishing-investigation
digital forensics · low
analyzing-golang-malware-with-ghidra
malware analysis · medium
analyzing-heap-spray-exploitation
malware analysis · medium
analyzing-kubernetes-audit-logs
container security · low
analyzing-linux-elf-malware
malware analysis · medium
analyzing-linux-kernel-rootkits
digital forensics · low
analyzing-linux-system-artifacts
digital forensics · low
analyzing-lnk-file-and-jump-list-artifacts
digital forensics · low
analyzing-macro-malware-in-office-documents
malware analysis · medium
analyzing-malicious-pdf-with-peepdf
malware analysis · medium
analyzing-malware-behavior-with-cuckoo-sandbox
malware analysis · medium
analyzing-malware-persistence-with-autoruns
malware analysis · medium
analyzing-malware-sandbox-evasion-techniques
malware analysis · medium
analyzing-memory-dumps-with-volatility
malware analysis · medium
analyzing-mft-for-deleted-file-recovery
digital forensics · low
analyzing-network-covert-channels-in-malware
malware analysis · medium
analyzing-network-traffic-of-malware
malware analysis · medium
analyzing-outlook-pst-for-email-forensics
digital forensics · low
analyzing-packed-malware-with-upx-unpacker
malware analysis · medium
analyzing-pdf-malware-with-pdfid
malware analysis · medium
analyzing-persistence-mechanisms-in-linux
threat hunting · low
analyzing-powershell-empire-artifacts
threat hunting · low
analyzing-prefetch-files-for-execution-history
digital forensics · low
analyzing-ransomware-encryption-mechanisms
malware analysis · medium
analyzing-ransomware-network-indicators
threat hunting · low
analyzing-slack-space-and-file-system-artifacts
digital forensics · low
analyzing-supply-chain-malware-artifacts
malware analysis · medium
analyzing-usb-device-connection-history
digital forensics · low
analyzing-windows-amcache-artifacts
digital forensics · low
analyzing-windows-event-logs-in-splunk
soc operations · low
analyzing-windows-lnk-files-for-artifacts
digital forensics · low
analyzing-windows-prefetch-with-python
digital forensics · low
analyzing-windows-registry-for-artifacts
digital forensics · low
analyzing-windows-shellbag-artifacts
digital forensics · low
building-automated-malware-submission-pipeline
soc operations · low
building-c2-infrastructure-with-sliver-framework
red teaming · high
building-detection-rule-with-splunk-spl
soc operations · low
building-detection-rules-with-sigma
soc operations · low
building-incident-response-dashboard
soc operations · low
building-red-team-c2-infrastructure-with-havoc
red teaming · high
building-soc-escalation-matrix
soc operations · low
building-soc-metrics-and-kpi-tracking
soc operations · low
building-soc-playbook-for-ransomware
soc operations · low
building-threat-hunt-hypothesis-framework
threat hunting · low
building-threat-intelligence-enrichment-in-splunk
soc operations · low
building-threat-intelligence-feed-integration
soc operations · low
building-vulnerability-scanning-workflow
soc operations · low
conducting-api-security-testing
penetration testing · medium
conducting-domain-persistence-with-dcsync
red teaming · high
conducting-external-reconnaissance-with-osint
penetration testing · medium
conducting-full-scope-red-team-engagement
red teaming · high
conducting-internal-network-penetration-test
penetration testing · medium
conducting-internal-reconnaissance-with-bloodhound-ce
red teaming · high
conducting-mobile-app-penetration-test
penetration testing · medium
conducting-network-penetration-test
penetration testing · medium
conducting-pass-the-ticket-attack
red teaming · high
conducting-social-engineering-penetration-test
penetration testing · medium
conducting-social-engineering-pretext-call
red teaming · high
conducting-spearphishing-simulation-campaign
red teaming · high
conducting-wireless-network-penetration-test
penetration testing · medium
configuring-host-based-intrusion-detection
endpoint security · low
configuring-windows-defender-advanced-settings
endpoint security · low
configuring-windows-event-logging-for-detection
endpoint security · low
correlating-security-events-in-qradar
soc operations · low
deobfuscating-javascript-malware
malware analysis · medium
deobfuscating-powershell-obfuscated-malware
malware analysis · medium
deploying-edr-agent-with-crowdstrike
endpoint security · low
deploying-osquery-for-endpoint-monitoring
endpoint security · low
detecting-container-drift-at-runtime
container security · low
detecting-container-escape-attempts
container security · low
detecting-container-escape-with-falco-rules
container security · low
detecting-dcsync-attack-in-active-directory
threat hunting · low
detecting-dll-sideloading-attacks
threat hunting · low
detecting-email-forwarding-rules-attack
threat hunting · low
detecting-evasion-techniques-in-endpoint-logs
endpoint security · low
detecting-fileless-attacks-on-endpoints
endpoint security · low
detecting-fileless-malware-techniques
malware analysis · medium
detecting-golden-ticket-attacks-in-kerberos-logs
threat hunting · low
detecting-insider-threat-behaviors
threat hunting · low
detecting-kerberoasting-attacks
threat hunting · low
detecting-lateral-movement-with-splunk
threat hunting · low
detecting-malicious-scheduled-tasks-with-sysmon
threat hunting · low
detecting-mimikatz-execution-patterns
threat hunting · low
detecting-ntlm-relay-with-event-correlation
threat hunting · low
detecting-pass-the-hash-attacks
threat hunting · low
detecting-privilege-escalation-attempts
threat hunting · low
detecting-privilege-escalation-in-kubernetes-pods
container security · low
detecting-process-hollowing-technique
threat hunting · low
detecting-process-injection-techniques
malware analysis · medium
detecting-rootkit-activity
malware analysis · medium
detecting-service-account-abuse
threat hunting · low
detecting-suspicious-powershell-execution
threat hunting · low
detecting-t1003-credential-dumping-with-edr
threat hunting · low
detecting-t1055-process-injection-with-sysmon
threat hunting · low
detecting-t1548-abuse-elevation-control-mechanism
threat hunting · low
detecting-wmi-persistence
threat hunting · low
executing-active-directory-attack-simulation
penetration testing · medium
executing-phishing-simulation-campaign
penetration testing · medium
executing-red-team-engagement-planning
red teaming · high
executing-red-team-exercise
penetration testing · medium
exploiting-active-directory-certificate-services-esc1
red teaming · high
exploiting-active-directory-with-bloodhound
red teaming · high
exploiting-constrained-delegation-abuse
red teaming · high
exploiting-kerberoasting-with-impacket
red teaming · high
exploiting-ms17-010-eternalblue-vulnerability
red teaming · high
exploiting-nopac-cve-2021-42278-42287
red teaming · high
exploiting-sql-injection-vulnerabilities
penetration testing · medium
exploiting-zerologon-vulnerability-cve-2020-1472
red teaming · high
extracting-browser-history-artifacts
digital forensics · low
extracting-config-from-agent-tesla-rat
malware analysis · medium
extracting-credentials-from-memory-dump
digital forensics · low
extracting-iocs-from-malware-samples
malware analysis · medium
extracting-windows-event-logs-artifacts
digital forensics · low
hardening-docker-containers-for-production
container security · low
hardening-docker-daemon-configuration
container security · low
hardening-linux-endpoint-with-cis-benchmark
endpoint security · low
hardening-windows-endpoint-with-cis-benchmark
endpoint security · low
hunting-for-anomalous-powershell-execution
threat hunting · low
hunting-for-beaconing-with-frequency-analysis
threat hunting · low
hunting-for-cobalt-strike-beacons
threat hunting · low
hunting-for-command-and-control-beaconing
threat hunting · low
hunting-for-data-exfiltration-indicators
threat hunting · low
hunting-for-data-staging-before-exfiltration
threat hunting · low
hunting-for-dcom-lateral-movement
threat hunting · low
hunting-for-dcsync-attacks
threat hunting · low
hunting-for-defense-evasion-via-timestomping
threat hunting · low
hunting-for-dns-based-persistence
threat hunting · low
hunting-for-dns-tunneling-with-zeek
threat hunting · low
hunting-for-domain-fronting-c2-traffic
threat hunting · low
hunting-for-lateral-movement-via-wmi
threat hunting · low
hunting-for-living-off-the-cloud-techniques
threat hunting · low
hunting-for-living-off-the-land-binaries
threat hunting · low
hunting-for-lolbins-execution-in-endpoint-logs
threat hunting · low
hunting-for-ntlm-relay-attacks
threat hunting · low
hunting-for-persistence-mechanisms-in-windows
threat hunting · low
hunting-for-persistence-via-wmi-subscriptions
threat hunting · low
hunting-for-process-injection-techniques
threat hunting · low
hunting-for-registry-persistence-mechanisms
threat hunting · low
hunting-for-registry-run-key-persistence
threat hunting · low
hunting-for-scheduled-task-persistence
threat hunting · low
hunting-for-shadow-copy-deletion
threat hunting · low
hunting-for-spearphishing-indicators
threat hunting · low
hunting-for-startup-folder-persistence
threat hunting · low
hunting-for-supply-chain-compromise
threat hunting · low
hunting-for-suspicious-scheduled-tasks
threat hunting · low
hunting-for-t1098-account-manipulation
threat hunting · low
hunting-for-unusual-network-connections
threat hunting · low
hunting-for-unusual-service-installations
threat hunting · low
hunting-for-webshell-activity
threat hunting · low
implementing-alert-fatigue-reduction
soc operations · low
implementing-application-whitelisting-with-applocker
endpoint security · low
implementing-container-image-minimal-base-with-distroless
container security · low
implementing-container-network-policies-with-calico
container security · low
implementing-disk-encryption-with-bitlocker
endpoint security · low
implementing-endpoint-dlp-controls
endpoint security · low
implementing-file-integrity-monitoring-with-aide
endpoint security · low
implementing-image-provenance-verification-with-cosign
container security · low
implementing-kubernetes-network-policy-with-calico
container security · low
implementing-kubernetes-pod-security-standards
container security · low
implementing-memory-protection-with-dep-aslr
endpoint security · low
implementing-mitre-attack-coverage-mapping
soc operations · low
implementing-network-policies-for-kubernetes
container security · low
implementing-opa-gatekeeper-for-policy-enforcement
container security · low
implementing-pod-security-admission-controller
container security · low
implementing-rbac-hardening-for-kubernetes
container security · low
implementing-runtime-security-with-tetragon
container security · low
implementing-siem-use-cases-for-detection
soc operations · low
implementing-soar-automation-with-phantom
soc operations · low
implementing-soar-playbook-with-palo-alto-xsoar
soc operations · low
implementing-supply-chain-security-with-in-toto
container security · low
implementing-threat-modeling-with-mitre-attack
soc operations · low
implementing-ticketing-system-for-incidents
soc operations · low
implementing-usb-device-control-policy
endpoint security · low
investigating-insider-threat-indicators
soc operations · low
investigating-phishing-email-incident
soc operations · low
investigating-ransomware-attack-artifacts
digital forensics · low
performing-active-directory-bloodhound-analysis
red teaming · high
performing-active-directory-penetration-test
penetration testing · medium
performing-alert-triage-with-elastic-siem
soc operations · low
performing-automated-malware-analysis-with-cape
malware analysis · medium
performing-cloud-forensics-investigation
digital forensics · low
performing-cloud-storage-forensic-acquisition
digital forensics · low
performing-container-escape-detection
container security · low
performing-container-security-scanning-with-trivy
container security · low
performing-credential-access-with-lazagne
red teaming · high
performing-deception-technology-deployment
soc operations · low
performing-docker-bench-security-assessment
container security · low
performing-dynamic-analysis-with-any-run
malware analysis · medium
performing-endpoint-forensics-investigation
endpoint security · low
performing-endpoint-vulnerability-remediation
endpoint security · low
performing-external-network-penetration-test
penetration testing · medium
performing-false-positive-reduction-in-siem
soc operations · low
performing-file-carving-with-foremost
digital forensics · low
performing-firmware-malware-analysis
malware analysis · medium
performing-initial-access-with-evilginx3
red teaming · high
performing-ioc-enrichment-automation
soc operations · low
performing-iot-security-assessment
penetration testing · medium
performing-kerberoasting-attack
red teaming · high
performing-kubernetes-cis-benchmark-with-kube-bench
container security · low
performing-kubernetes-etcd-security-assessment
container security · low
performing-kubernetes-penetration-testing
container security · low
performing-lateral-movement-detection
soc operations · low
performing-lateral-movement-with-wmiexec
red teaming · high
performing-linux-log-forensics-investigation
digital forensics · low
performing-log-analysis-for-forensic-investigation
digital forensics · low
performing-log-source-onboarding-in-siem
soc operations · low
performing-malware-persistence-investigation
digital forensics · low
performing-malware-triage-with-yara
malware analysis · medium
performing-memory-forensics-with-volatility3
digital forensics · low
performing-memory-forensics-with-volatility3-plugins
malware analysis · medium
performing-mobile-device-forensics-with-cellebrite
digital forensics · low
performing-network-forensics-with-wireshark
digital forensics · low
performing-network-packet-capture-analysis
digital forensics · low
performing-open-source-intelligence-gathering
red teaming · high
performing-physical-intrusion-assessment
red teaming · high
performing-privilege-escalation-assessment
penetration testing · medium
performing-privilege-escalation-on-linux
red teaming · high
performing-purple-team-exercise
soc operations · low
performing-soc-tabletop-exercise
soc operations · low
performing-sqlite-database-forensics
digital forensics · low
performing-static-malware-analysis-with-pe-studio
malware analysis · medium
performing-steganography-detection
digital forensics · low
performing-thick-client-application-penetration-test
penetration testing · medium
performing-threat-hunting-with-elastic-siem
soc operations · low
performing-threat-hunting-with-yara-rules
threat hunting · low
performing-timeline-reconstruction-with-plaso
digital forensics · low
performing-user-behavior-analytics
soc operations · low
performing-vulnerability-scanning-with-nessus
penetration testing · medium
performing-web-application-penetration-test
penetration testing · medium
performing-windows-artifact-analysis-with-eric-zimmerman-tools
digital forensics · low
performing-wireless-network-penetration-test
penetration testing · medium
performing-yara-rule-development-for-detection
malware analysis · medium
recovering-deleted-files-with-photorec
digital forensics · low
reverse-engineering-android-malware-with-jadx
malware analysis · medium
reverse-engineering-dotnet-malware-with-dnspy
malware analysis · medium
reverse-engineering-malware-with-ghidra
malware analysis · medium
reverse-engineering-ransomware-encryption-routine
malware analysis · medium
reverse-engineering-rust-malware
malware analysis · medium
scanning-container-images-with-grype
container security · low
scanning-docker-images-with-trivy
container security · low
scanning-kubernetes-manifests-with-kubesec
container security · low
securing-container-registry-with-harbor
container security · low
securing-helm-chart-deployments
container security · low
testing-for-xss-vulnerabilities
penetration testing · medium
triaging-security-alerts-in-splunk
soc operations · low
© 2026 Casky.AI, Inc. · AI Security Investigation