Redazione RHC : 21 July 2025 07:52
A critical security flaw related to memory corruption has been discovered in the popular 7-Zip archiver. This vulnerability can be exploited by attackers to cause denial-of-service conditions by creating malicious RAR5 archives. This is CVE-2025-53816, also known as GHSL-2025-058, and affects all 7-Zip releases prior to 25.00.
This flaw, discovered by researcher Jaroslav Lobačevski, has been assigned a CVSS score of 5.5, placing it in the medium severity category. While the flaw does not promise arbitrary code execution, it could still pose substantial risks for denial-of-service attacks, especially against systems handling potentially unsafe archive files.
The vulnerability arises from a heap buffer overflow in the implementation of 7-Zip’s RAR5 decoder. Specifically, the flaw occurs in the NCompress::NRar5::CDecoder component when the software attempts to recover corrupt archive data by padding the damaged sections with zeros.
The root cause is a value calculation error during memory zeroing operations. When processing RAR5 archives, the decoder calls My_ZeroMemory(_window + _winPos, (size_t)rem) where the rem parameter is calculated as _lzEnd – lzSize. However, the _lzEnd variable depends on the size of previous elements in the archive, which can be controlled by attackers.
This miscalculation allows attackers to write zeros beyond the allocated heap buffer, potentially corrupting adjacent memory regions and causing application crashes. Testing with AddressSanitizer (ASAN) has shown that specially crafted RAR5 files can trigger a heap buffer overflow, with a proof-of-concept that caused a write of 9,469 bytes beyond the allocated buffer.
7-Zip is one of the most widely used file archiving tools in the world: the official website receives over 1.3 million visits per month, and the software is downloaded millions of times through various distribution channels. The software’s popularity among both personal and business users amplifies the potential impact of this vulnerability.
Memory corruption vulnerabilities such as this can have serious consequences, including system crashes, data corruption, and service disruptions. While this specific vulnerability is unlikely to allow remote code execution, it provides attackers with a reliable method to block 7-Zip processes, potentially disrupting automated file processing systems or user workflows.
This weakness is extremely alarming, given that archives have become a prime target for cyberattacks, accounting for 39% of malware delivery strategies, according to recent threat research. Cyberattackers routinely exploit weaknesses in archive management to bypass security systems and deliver payloads.
Organizations processing untrusted archive files should implement additional security measures, including restricting access to potentially malicious RAR5 archives and implementing comprehensive file validation before processing.
Redazione