Wide-ranging 7-zip vulnerability with 8.8 CVE rating allows for code execution — hundreds of millions of machines potentially at risk

(Image credit: Getty Images)

There seems to be no end in sight for serious, wide-ranging security vulnerabilities these days. The ever-popular open-source archive-handling utility 7-Zip is now in the spotlight due to an 8.8-rated CVE vulnerability in its archive-opening procedure. If a user simply opens a booby-trapped crafted archive (.7z, .zip, .rar, etc) on a machine with at least 16 GB of RAM, they'll be running malicious code. Extracting the archive isn't necessary; only opening it is enough. We recommend that everyone immediately update to the latest version, 26.01, published in late April; all previous versions are vulnerable.This is a particularly "oh sugar honey ice tea" moment because of how widespread 7-Zip is in practice. Most people would only think of the Windows graphical application, but every command-line variant is vulnerable across multiple operating systems. 7-Zip doesn't have any built-in update mechanisms, relying instead on user-initiated updates or package management systems.The Windows application being vulnerable is bad enough; however, one needs to add millions of command-line scripts that are indirectly vulnerable, as are CI/CD workflows. Anything that so much as calls any variant of the "7z" binary and opens a poisoned archive, even if just to list the contents, is at risk.Go deeper with TH Premium: AI and data centersAdding fuel to the fire, a good number of Linux distributions come with long-outdated "p7zip" ports of the utility. Heck, just think of a server that automatically lists archive contents for some reason, and it's almost certainly vulnerable. Sourceforge lists some 400 million 7-Zip downloads, while Chocolatey has 24.5 million, so adding to that copious amounts of Linux servers and VMs, we could be discussing hundreds of millions of vulnerable machines.But wait, there's more. The open nature of 7z means that its base libraries are included among a wealth of third-party software. Potential targets for exploitation include anti-virus scanners, backup and automation tools, log analysis software, malware analysis with automated scanning, and even many file managers.In practice, the aforementioned software doesn't require user intervention to ingest a poisoned archive, and the situation gets worse because a good portion of it runs with elevated permissions. All things considered, it's reasonable to guess that almost every computer and server has some exploitable 7-Zip binary or code that's vulnerable to what amounts to a drive-by attack.Some cursory testing of our own shows that Ubuntu 24, Ubuntu 26, and RHEL 8 all carry vulnerable versions. If all that wasn't bad enough, many OEM systems include 7-Zip by default because it's great, open, and free. The "p7zip" package is common across Fedora; many Docker images also run on mainline versions.Get Tom's Hardware's best news and in-depth reviews, straight to your inbox.The actual vulnerability is fairly complicated to describe, but pertains to a part of code that 7-Zip can use to open NTFS disk images. Opening .ntfs and .img disk images has long been a feature of 7-Zip, and there's a bug in the code that allows an attacker to provide incorrect values for a buffer, which in turn can be made bigger than intended and contain malicious code to be executed. If by now you're thinking "I don't use those file types", 7-Zip doesn't use the file extension to determine its type — it relies on the file's first few bytes, so providing a malicious NTFS image inside a .7z, .rar, .zip (and others) will work just fine.