cbcvebase.
CVE-2023-31102
published 2023-11-03

CVE-2023-31102: Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.

PriorityP355high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
71.04%
99.3th percentile
Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.

Affected

4 ranges
VendorProductVersion rangeFixed in
7-zip7-zip< 22.0122.01
7-zipp7zip>= 0 < 16.02+transitional.116.02+transitional.1
debian7zip< 7zip 23.01+dfsg-1 (forky)7zip 23.01+dfsg-1 (forky)
debianp7zip< 7zip 23.01+dfsg-1 (forky)7zip 23.01+dfsg-1 (forky)

Detection & IOCsextracted from sources · hover to see the quote

snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102)"; flow:established,to_client; file.magic; content:"7-zip archive"; startswith; file.data; content:"7z|bc af 27 1c 00 30 00 00|"; startswith; fast_pattern; pcre:"/\x30{24,}\x00\x30{24,}\x17\x06\x1a\x01/"; filesize:<10000; reference:url,ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102/; reference:cve,2023-31102; classtype:misc-attack; sid:2065690; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_11_06, cve CVE_2023_31102, deployment Perimeter, deployment Internal, confidence Low, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06; target:dest_ip;)
bytes
7z|bc af 27 1c 00 30 00 00|
bytes
\x30{24,}\x00\x30{24,}\x17\x06\x1a\x01
  • Trigger on 7Z archive files (magic bytes match '7-zip archive') delivered over TCP to client endpoints where the file data starts with the PPMd properties byte sequence '7z bc af 27 1c 00 30 00 00' and the body matches the PCRE pattern for repeated 0x30 bytes followed by \x17\x06\x1a\x01 — indicative of a crafted PPMd properties field causing integer underflow in Ppmd7.c.
  • The malicious 7Z file is small (under 10,000 bytes); filter for anomalously small 7Z archives as a triage signal.
  • The vulnerability is triggered during parsing of 7Z files via the PPMd properties in Ppmd7.c; focus detection on 7Z file open/parse events in endpoint telemetry, especially when user interaction (file open) is involved.
  • ·The Snort/Suricata rule (sid:2065690) is marked confidence:Low by Proofpoint Nexus — expect potential false positives; tune filesize and PCRE thresholds for your environment before deploying in blocking mode.
  • ·No known public exploitation specifically targeting this vulnerability has been reported to CISA; prioritize patching over detection urgency accordingly.
  • ·The vulnerability is local (AV:L) and requires user interaction (UI:R) — network-based detection rules will only fire if the crafted 7Z is delivered over TCP (e.g., HTTP/FTP download); file-at-rest scanning on endpoints is also needed for full coverage.

CVSS provenance

nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.