A critical vulnerability in the popular 7-Zip file archiver has been discovered and patched, allowing malicious actors to craft weaponized RAR5 files that can crash systems and potentially corrupt memory.
The security vulnerability, designated CVE-2025-53816, affects 7-Zip versions prior to 25.00 and demonstrates how seemingly innocent archive files can become vectors for denial-of-service attacks.
The vulnerability stems from a miscalculation in 7-Zip’s RAR5 decoder, specifically within the NCompress::NRar5::CDecoder component that handles compressed RAR5 archives.
When the decoder encounters corrupted items in a RAR5 file, it attempts to repair them by filling damaged sections with zeros—a standard recovery mechanism designed to salvage partially corrupted data.
However, researchers discovered that the decoder incorrectly calculates how many bytes need to be zeroed out during this recovery process.
The vulnerability occurs when the software determines the remaining size (rem value) to be filled, leading to a heap buffer overflow where zeros are written beyond the allocated memory boundary.
This miscalculation is triggered by manipulating the _lzEnd variable, which depends on the size of archive items that attackers can control.
The vulnerability was first reported through coordinated disclosure on April 24, 2025, acknowledged by the 7-Zip development team on April 29, and subsequently fixed in version 25.00 released on July 5, 2025.
Security researchers were able to demonstrate the exploit using AddressSanitizer (ASAN) tools, showing that malicious RAR5 files could trigger heap buffer overflows consistently across different platforms.
7-Zip Vulnerability
While the vulnerability primarily overwrites memory locations with zeros rather than arbitrary data, it still poses significant risks to system stability and security. The attack vector presents multiple concerns for users and organizations:
- Immediate system crashes – The heap buffer overflow causes immediate crashes in 7-Zip, potentially leading to data loss if users are processing important archives.
- Cross-platform vulnerability – Testing revealed that the vulnerability affects both Windows and Linux systems, with proof-of-concept files successfully crashing official 7-Zip builds even without specialized debugging tools.
- Easy attack distribution – RAR5 files are commonly shared through email attachments, file sharing services, and download portals, making it simple for malicious actors to distribute weaponized archives.
- Enterprise risk exposure – Organizations that rely on 7-Zip for automated archive processing, backup systems, or file servers face elevated risks, as a single malicious archive could disrupt critical operations.
The vulnerability’s classification as CWE-122 (Heap-based Buffer Overflow) underscores its potential for causing widespread system instability, even if direct code execution remains unlikely.
The memory corruption could destabilize entire applications or systems, particularly in environments where 7-Zip is integrated into automated processing workflows.
Update to Version 25.00 or Later
Users and organizations must immediately update their 7-Zip installations to version 25.00 or later to protect against this vulnerability.
The fix addresses the underlying calculation error in the RAR5 decoder, preventing malicious files from triggering buffer overflows during the recovery process.
System administrators should prioritize updating 7-Zip across all networked systems, particularly those that automatically process incoming archives or integrate 7-Zip functionality into larger applications.
Until updates are completed, users should exercise extreme caution when opening RAR5 files from untrusted sources and consider temporarily switching to alternative archive utilities for critical operations.
Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates.
.webp?w=356&resize=356,220&ssl=1 "Microsoft Teams Blocking Users from Accessing Embedded Office Documents")
