7-Zip SquashFS File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability
CVE-2023-40481

7.8HIGH

Key Information:

Vendor: 7-zip
Status: 7-zip
Vendor: CVE Published:; 3 May 2024

Summary

A vulnerability exists in 7-Zip related to the parsing of SquashFS (SQFS) files, which allows remote attackers to execute arbitrary code on installations of the software. This flaw arises from inadequate validation of user-supplied data when handling SQFS files, leading to out-of-bounds writes that can manipulate the memory buffer. Successful exploitation necessitates that a victim either visits a malicious website or opens a specifically crafted file, potentially allowing the attacker to execute code within the context of the affected application. For further details, see the advisories from the Zero Day Initiative and vendor discussions.

Affected Version(s)

7-Zip 22.01

References

https://www.zerodayinitiative.com/advisories/ZDI-23-1164/

x_research-advisory

https://sourceforge.net/p/sevenzip/discussion/45797/threa...

vendor-advisory

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
May 3, 2024
Vulnerability Reserved
Aug 14, 2023