7-Zip: 7-Zip Zstandard decompression integer underflow remote code execution (CVE-2024-11477) #shorts

Summary

In this episode, we’ll explore CVE-2024-11477, a critical remote code execution vulnerability in 7-Zip’s Zstandard decompression component. Reported by Trend Micro’s ZDI team, this flaw allows an attacker to craft a malicious archive that triggers an integer underflow, leading to arbitrary code execution in the context of the decompression process.

Product details

- Vendor: 7-Zip - Affected component: Zstandard (ZSTD) decompression function - Affected version: 7-Zip 24.06 - Discovery: ZDI-CAN-24346, published November 22, 2024 - Status: Patched in subsequent releases of 7-Zip

Vulnerability type summary

This vulnerability is classified under CWE-191: Integer Underflow (Wrap or Wraparound). An integer underflow occurs when a numeric value is decremented below its minimum representable value, causing it to wrap around to a very large value. In decompression logic, this can lead to incorrect memory offsets and buffer operations.

Details of the vulnerability

During Zstandard decompression, 7-Zip fails to properly validate user-supplied data lengths. A specially crafted archive can trigger an underflow in the size calculation before writing decompressed data to memory. When the underflow occurs, a write operation can target out-of-bounds memory locations, enabling an attacker to overwrite function pointers or control structures. By luring a victim to decompress the malicious file—whether through direct file opening, previewing in an archive manager, or automated processing—an attacker can execute arbitrary code under the privileges of the 7-Zip process.

Conclusion

CVE-2024-11477 underscores the importance of robust input validation in compression libraries. To protect yourself, update 7-Zip to the latest patched version, avoid opening archives from untrusted sources, and monitor your environment for unexpected 7-Zip activity. Stay tuned for more vulnerability breakdowns and mitigation tips on our next episode.

Watch the full video on YouTube: CVE-2024-11477

Remediation and exploitation details

This chain involves the following actors

This following systems are involved

Attack entry point

Remediation actions

Exploitation actions

Related Content

NOTE: The following related content has not been vetted and may be unsafe.

CVE database technical details

CVE ID
CVE-2024-11477
Description
7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24346.
Provider
zdi
CWE / problem types
CWE-191: Integer Underflow (Wrap or Wraparound)
Affected Software Versions
7-Zip:7-Zip:[{'version': '24.06', 'status': 'affected'}]
Date Published
2024-11-22T20:22:33.278Z
Last Updated
2025-02-15T00:10:31.081Z