A 7-Zip vulnerability enables code smuggling with manipulated archives. Attackers can try to trick 7-Zip users into installing malicious code. An update is available.

The 7-Zip compression tool contains a security vulnerability that allows attackers from the network to inject and execute malicious code using manipulated archives. A software update is available. 7-Zip should take action and download and install the update.

Code smuggling from the Internet

The security advisory from Trend Micro's Zero-Day Initiative discusses the vulnerability. According to this, an integer underflow can occur when decompressing files compressed using Zstandard before the code writes to memory. The error is based on insufficient checking of user-supplied data and can be abused to inject and launch malicious code (CVE-2024-11477, CVSS 7.8, risk high).

If attackers convince 7-Zip users to open carefully prepared archives from the Internet - for example in the form of an email attachment or a shared file - they can slip malware onto them. The Zstandard format is used more frequently under Linux, and is available as an option for Btrfs, SquashFS or OpenZFS. It is said to provide similar compression to Deflate (for example via zlib or for HTTP compression), but is faster, especially when it comes to decompression.

IT researchers discovered the vulnerability in June already and reported it to 7-Zip. The developer has fixed the vulnerability with version 24.07. Version 24.08 is currently available for download.

7-Zip does not have an integrated update mechanism, so users of the software have to take action themselves and download and install the new version.