Heap-Based Buffer Overflow in 7-Zip and p7zip Products
CVE-2017-17969

7.8HIGH

Key Information:

Vendor

7-zip
Status
7-zip
P7zip
Vendor
CVE Published:
30 January 2018

What is CVE-2017-17969?

A heap-based buffer overflow vulnerability exists within the NCompress::NShrink::CDecoder::CodeReal method of 7-Zip and p7zip prior to version 18.00. This flaw enables remote attackers to craft malicious ZIP archives that can exploit the vulnerability, leading to an out-of-bounds write situation. Successful exploitation can result in denial of service or potential execution of arbitrary code, posing significant risks to affected systems.

References

https://www.debian.org/security/2018/dsa-4104
vendor-advisory
https://lists.debian.org/debian-lts-announce/2018/02/msg0...
mailing-list
https://landave.io/2018/01/7-zip-multiple-memory-corrupti...

CVSS V3.1

Score:
7.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.