CVE-2023-31102
published 2023-11-03CVE-2023-31102: Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
PriorityP355high7.8CVSS 3.1
AVLACLPRNUIRSUCHIHAH
EPSS
71.04%
99.3th percentile
Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| 7-zip | 7-zip | < 22.01 | 22.01 |
| 7-zip | p7zip | >= 0 < 16.02+transitional.1 | 16.02+transitional.1 |
| debian | 7zip | < 7zip 23.01+dfsg-1 (forky) | 7zip 23.01+dfsg-1 (forky) |
| debian | p7zip | < 7zip 23.01+dfsg-1 (forky) | 7zip 23.01+dfsg-1 (forky) |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102)"; flow:established,to_client; file.magic; content:"7-zip archive"; startswith; file.data; content:"7z|bc af 27 1c 00 30 00 00|"; startswith; fast_pattern; pcre:"/\x30{24,}\x00\x30{24,}\x17\x06\x1a\x01/"; filesize:<10000; reference:url,ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102/; reference:cve,2023-31102; classtype:misc-attack; sid:2065690; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_11_06, cve CVE_2023_31102, deployment Perimeter, deployment Internal, confidence Low, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_11_06; target:dest_ip;)bytes
7z|bc af 27 1c 00 30 00 00|
bytes
\x30{24,}\x00\x30{24,}\x17\x06\x1a\x01- →Trigger on 7Z archive files (magic bytes match '7-zip archive') delivered over TCP to client endpoints where the file data starts with the PPMd properties byte sequence '7z bc af 27 1c 00 30 00 00' and the body matches the PCRE pattern for repeated 0x30 bytes followed by \x17\x06\x1a\x01 — indicative of a crafted PPMd properties field causing integer underflow in Ppmd7.c.
- →The malicious 7Z file is small (under 10,000 bytes); filter for anomalously small 7Z archives as a triage signal.
- →The vulnerability is triggered during parsing of 7Z files via the PPMd properties in Ppmd7.c; focus detection on 7Z file open/parse events in endpoint telemetry, especially when user interaction (file open) is involved.
- ·The Snort/Suricata rule (sid:2065690) is marked confidence:Low by Proofpoint Nexus — expect potential false positives; tune filesize and PCRE thresholds for your environment before deploying in blocking mode.
- ·No known public exploitation specifically targeting this vulnerability has been reported to CISA; prioritize patching over detection urgency accordingly. ↗
- ·The vulnerability is local (AV:L) and requires user interaction (UI:R) — network-based detection rules will only fire if the crafted 7Z is delivered over TCP (e.g., HTTP/FTP download); file-at-rest scanning on endpoints is also needed for full coverage. ↗
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
osv7.8HIGH
vendor_debian7.8HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2023-31102: Ppmd7
osv·2023-11-03·CVSS 7.8
CVE-2023-31102 [HIGH] CVE-2023-31102: Ppmd7
Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
GHSA
GHSA-4cc6-f2xj-w7jx: 7-Zip through 22
ghsa_unreviewed·2023-11-03
CVE-2023-31102 [HIGH] CWE-191 GHSA-4cc6-f2xj-w7jx: 7-Zip through 22
7-Zip through 22.01 on Linux allows an integer underflow and code execution via a crafted 7Z archive.
CISA ICS
Rockwell Automation AADvance Trusted SIS Workstation
cisa_ics·2024-09-12·CVSS 7.8
[HIGH] Rockwell Automation AADvance Trusted SIS Workstation
ICS Advisory
##
Rockwell Automation AADvance Trusted SIS Workstation
Release DateSeptember 12, 2024
Alert CodeICSA-24-256-20
Related topics:
Industrial Control System Vulnerabilities, Industrial Control Systems
View CSAF
## 1. EXECUTIVE SUMMARY
- CVSS v3 7.8
- ATTENTION: Low attack complexity
- Vendor: Rockwell Automation
- Equipment: AADvance Trusted SIS Workstation
- Vulnerabilities: Improper Input Validation
## 2. RISK EVALUATION
Successful exploitation of these vulnerabilities could result in an attacker executing code within the context of a current process.
## 3. TECHNICAL DETAILS
## 3.1 AFFECTED PRODUCTS
The following versions of AADvance Trusted SIS Workstation, a manufacturing controller management suite, are affected:
- AADvance Trusted SI
Debian
CVE-2023-31102: 7zip - Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read opera...
vendor_debian·2023·CVSS 7.8
CVE-2023-31102 [HIGH] CVE-2023-31102: 7zip - Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read opera...
Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive.
Scope: local
bookworm: open
forky: resolved (fixed in 23.01+dfsg-1)
sid: resolved (fixed in 23.01+dfsg-1)
trixie: resolved (fixed in 23.01+dfsg-1)
Suricata
ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102)
suricata·2025-11-06·CVSS 7.8
CVE-2023-31102 [HIGH] ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102)
ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102)
Rule: alert tcp any any -> $HOME_NET any (msg:"ET EXPLOIT 7-Zip 7z File PPMd Properties Parsing Integer Underflow (CVE-2023-31102)"; flow:established,to_client; file.magic; content:"7-zip archive"; startswith; file.data; content:"7z|bc af 27 1c 00 30 00 00|"; startswith; fast_pattern; pcre:"/\x30{24,}\x00\x30{24,}\x17\x06\x1a\x01/"; filesize:<10000; reference:url,ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102/; reference:cve,2023-31102; classtype:misc-attack; sid:2065690; rev:1; metadata:attack_target Client_Endpoint, created_at 2025_11_06, cve CVE_2023_31102, deployment Perimeter, deployment Internal, confidence Low, signature_severity Minor, tag Description_Generated_By_Proofpoint_Nexus, u
No public exploits indexed.
No writeups or analysis indexed.
https://ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102/https://security.netapp.com/advisory/ntap-20231110-0007/https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/https://www.7-zip.org/download.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-23-1165/https://ds-security.com/post/integer-overflow-in-7-zip-cve-2023-31102/https://security.netapp.com/advisory/ntap-20231110-0007/https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/https://www.7-zip.org/download.htmlhttps://www.zerodayinitiative.com/advisories/ZDI-23-1165/
2023-11-03
Published