Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution — hundreds of millions of machines potentially at risk | Tom's Hardware
Skip to main content
Stay On the Cutting Edge: Get the Tom's Hardware Newsletter Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.
Contact me with news and offers from other Future brands
Receive email from us on behalf of our trusted partners or sponsors
By submitting your information you agree to the Terms & Conditions and Privacy Policy and are aged 16 or over.
You are now subscribed Your newsletter sign-up was successful
An account already exists for this email address, please log in.
(Image credit: Getty Images)
Copy link
X
Share this article
0
Join the conversation
Follow us
Add us as a preferred source on Google
Newsletter
Subscribe to our newsletter
There seems to be no end in sight for serious, wide-ranging security vulnerabilities these days. The ever-popular open-source archive-handling utility 7-Zip is now in the spotlight due to an 8.8-rated CVE vulnerability in its archive-opening procedure. If a user simply opens a booby-trapped crafted archive (.7z, .zip, .rar, etc) on a machine with at least 16 GB of RAM, they'll be running malicious code. Extracting the archive isn't necessary; only opening it is enough. We recommend that everyone immediately update to the latest version, 26.01, published in late April; all previous versions are vulnerable.This is a particularly "oh sugar honey ice tea" moment because of how widespread 7-Zip is in practice. Most people would only think of the Windows graphical application, but every command-line variant is vulnerable across multiple operating systems. 7-Zip doesn't have any built-in update mechanisms, relying instead on user-initiated updates or package management systems.The Windows application being vulnerable is bad enough; however, one needs to add millions of command-line scripts that are indirectly vulnerable, as are CI/CD workflows. Anything that so much as calls any variant of the "7z" binary and opens a poisoned archive, even if just to list the contents, is at risk.Latest Videos FromGo deeper with TH Premium: AI and data centers
(Image credit: Microsoft)Photonics and high-speed data movement is the next big AI bottleneckThe data center cooling state of playMassive AI data center buildouts are squeezing energy suppliesUltra Ethernet: The data center interconnection of tomorrowAdding fuel to the fire, a good number of Linux distributions come with long-outdated "p7zip" ports of the utility. Heck, just think of a server that automatically lists archive contents for some reason, and it's almost certainly vulnerable. Sourceforge lists some 400 million 7-Zip downloads, while Chocolatey has 24.5 million, so adding to that copious amounts of Linux servers and VMs, we could be discussing hundreds of millions of vulnerable machines.But wait, there's more. The open nature of 7z means that its base libraries are included among a wealth of third-party software. Potential targets for exploitation include anti-virus scanners, backup and automation tools, log analysis software, malware analysis with automated scanning, and even many file managers.In practice, the aforementioned software doesn't require user intervention to ingest a poisoned archive, and the situation gets worse because a good portion of it runs with elevated permissions. All things considered, it's reasonable to guess that almost every computer and server has some exploitable 7-Zip binary or code that's vulnerable to what amounts to a drive-by attack.Some cursory testing of our own shows that Ubuntu 24, Ubuntu 26, and RHEL 8 all carry vulnerable versions. If all that wasn't bad enough, many OEM systems include 7-Zip by default because it's great, open, and free. The "p7zip" package is common across Fedora; many Docker images also run on mainline versions.Stay On the Cutting Edge: Get the Tom's Hardware NewsletterGet Tom's Hardware's best news and in-depth reviews, straight to your inbox.Contact me with news and offers from other Future brandsReceive email from us on behalf of our trusted partners or sponsorsThe actual vulnerability is fairly complicated to describe, but pertains to a part of code that 7-Zip can use to open NTFS disk images. Opening .ntfs and .img disk images has long been a feature of 7-Zip, and there's a bug in the code that allows an attacker to provide incorrect values for a buffer, which in turn can be made bigger than intended and contain malicious code to be executed. If by now you're thinking "I don't use those file types", 7-Zip doesn't use the file extension to determine its type — it relies on the file's first few bytes, so providing a malicious NTFS image inside a .7z, .rar, .zip (and others) will work just fine.
Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.
See all comments (0)
Bruno FerreiraContributorBruno Ferreira is a contributing writer for Tom's Hardware. He has decades of experience with PC hardware and assorted sundries, alongside a career as a developer. He's obsessed with detail and has a tendency to ramble on the topics he loves. When not doing that, he's usually playing games, or at live music shows and festivals.
No comments yet
Comment from the forums