7-Zip: 7-Zip Zstandard decompression integer underflow remote code execution (CVE-2024-11477) #shorts
Summary
In this episode, we’ll explore CVE-2024-11477, a critical remote code execution vulnerability in 7-Zip’s Zstandard decompression component. Reported by Trend Micro’s ZDI team, this flaw allows an attacker to craft a malicious archive that triggers an integer underflow, leading to arbitrary code execution in the context of the decompression process.
Product details
- Vendor: 7-Zip - Affected component: Zstandard (ZSTD) decompression function - Affected version: 7-Zip 24.06 - Discovery: ZDI-CAN-24346, published November 22, 2024 - Status: Patched in subsequent releases of 7-Zip
Vulnerability type summary
This vulnerability is classified under CWE-191: Integer Underflow (Wrap or Wraparound). An integer underflow occurs when a numeric value is decremented below its minimum representable value, causing it to wrap around to a very large value. In decompression logic, this can lead to incorrect memory offsets and buffer operations.
Details of the vulnerability
During Zstandard decompression, 7-Zip fails to properly validate user-supplied data lengths. A specially crafted archive can trigger an underflow in the size calculation before writing decompressed data to memory. When the underflow occurs, a write operation can target out-of-bounds memory locations, enabling an attacker to overwrite function pointers or control structures. By luring a victim to decompress the malicious file—whether through direct file opening, previewing in an archive manager, or automated processing—an attacker can execute arbitrary code under the privileges of the 7-Zip process.
Conclusion
CVE-2024-11477 underscores the importance of robust input validation in compression libraries. To protect yourself, update 7-Zip to the latest patched version, avoid opening archives from untrusted sources, and monitor your environment for unexpected 7-Zip activity. Stay tuned for more vulnerability breakdowns and mitigation tips on our next episode.
Watch the full video on YouTube: CVE-2024-11477
Remediation and exploitation details
This chain involves the following actors
This following systems are involved
Attack entry point
Remediation actions
Exploitation actions
Related Content
NOTE: The following related content has not been vetted and may be unsafe.
- https://www.zerodayinitiative.com/advisories/ZDI-24-1532/
- [2025-05-08] Article discusses the CVE-2024-11477 vulnerability in 7-Zip's ZSTD decompression function.
- [2025-05-08] Article about CVE-2024-11477, a buffer overflow vulnerability in 7-Zip's ZSTD decompression.
- [2025-05-08] Article discusses the CVE-2024-11477 vulnerability in 7-Zip's ZSTD decompression function.