CVE-2024-11477 — Integer Underflow (Wrap or Wraparound) in 7-zip

CWE-191 — Integer Underflow (Wrap or Wraparound)5 documents5 sources

Severity

7.8HIGHNVD

EPSS

43.6%

top 2.47%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

7-zip Debian 7zip Debian P7zip +1 more

Timeline

PublishedNov 22

Latest updateApr 17

Description

7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in a…

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HExploitability: 1.8 | Impact: 5.9

Affected Packages5 packages

▶NVD7-zip/7-zip< 24.07

▶debiandebian/7zip< 7zip 24.07+dfsg-1 (forky)

▶debiandebian/p7zip< 7zip 24.07+dfsg-1 (forky)

▶CVEListV57-zip/7-zip24.06

▶googlegoogle/chrome_chrome

🔴Vulnerability Details

OSV

CVE-2024-11477: 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability↗2024-11-22

▶

GHSA

GHSA-882h-ff2x-f86q: 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability↗2024-11-22

▶

📋Vendor Advisories

Chrome

Long Term Support Channel Update for ChromeOS: CVE-2024-11477↗2025-04-17

▶

Debian

CVE-2024-11477: 7zip - 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerabil...↗2024

▶