A vulnerability has been discovered in the 7-Zip file archiver, allowing attackers to execute remote malicious code via specially crafted archive files. To address this issue, developers have released an update, which must be installed manually since the program does not support automatic updates.
The vulnerability registered as CVE-2024-11477 with a CVSS threat rating of 7.8, is related to inadequate input validation when processing files compressed using the Zstandard algorithm. This can lead to a memory overflow and the injection of malicious code. Zstandard is actively used in systems such as Btrfs, SquashFS, and OpenZFS, as well as for HTTP compression, due to its high speed and compression efficiency.
Hackers can exploit this vulnerability by sending specially crafted archives to 7-Zip users, for example, via email or network sharing. Once such a file is opened, it can inject malicious code into the system.
The issue was identified by researchers from Trend Micro’s Zero-Day Initiative in June 2024 and was fixed in version 7-Zip 24.07. The updated version 24.08 is currently available for download here. Users are advised to install the latest version. If 7-Zip is not necessary, it is recommended to uninstall the program, as modern versions of Windows File Explorer support working with 7-Zip files by default.
