A critical security vulnerability has been discovered in 7-Zip, the popular file compression utility, potentially allowing attackers to execute malicious code through specially crafted archives.
The flaw tracked as CVE-2024-11477 carries a high CVSS score of 7.8 and affects recent versions of the software.
The vulnerability specifically exists within 7-Zip's implementation of Zstandard decompression, where improper validation of user-supplied data can result in an integer underflow before writing to memory. Security researcher Nicholas Zubrisky of Trend Micro Security Research identified the issue, which was initially reported to 7-Zip developers in June 2024- according to the advisory.
Technical analysis of the vulnerability reveals it involves the handling of sequence tables in the Zstandard compression format, particularly affecting how the software processes literal length, offset, and match length values.
The flaw could potentially be triggered when users interact with maliciously crafted archives, though successful exploitation requires specific conditions to be met.
The vulnerability is particularly concerning as Zstandard compression is widely used in Linux environments, including popular file systems like Btrfs, SquashFS, and OpenZFS. If exploited, attackers could potentially execute arbitrary code with the same access rights as the logged-in user, potentially leading to complete system compromise.
There is an awesome follow-up video from Low Level (@LowLevelTweets), which you should check out.
7-Zip has addressed the security issue in version 24.07. However, since the software lacks an automatic update mechanism, users must manually download and install the latest version to protect their systems. IT administrators and software developers who implement 7-Zip in their products should prioritize updating their installations to the patched version.
The vulnerability affects versions 24.05 and 24.06 of 7-Zip, with the fix implemented in version 24.07. While the vulnerability has received significant attention, detailed technical analysis suggests that successful exploitation may be more complex than initially reported.
It is recommended that organizations and individuals using 7-Zip or products incorporating its functionality should update to the latest version as soon as possible. Users can download the patched version from the official 7-Zip website. Currently, there are no known instances of this vulnerability being actively exploited in the wild.