Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the ParseLibSymbols function when parsing a BSD-style .SYMDEF symbol table. An attacker can access sensitive information from uninitialized heap memory by providing a specially crafted Unix ar archive...

Out-of-bounds Read

Overview Affected versions of this package are vulnerable to Out-of-bounds Read in the SquashFS ReadBlock function. An attacker can cause disclosure of heap memory contents by providing a specially crafted SquashFS archive with a manipulated node.Offset value, which bypasses fragment bounds check...

Integer Overflow or Wraparound

Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the NTFS handler that miscalculates compression-unit buffer size in GetCuSize function. An attacker can achieve arbitrary code execution or application crash by sending data with specially crafted...

CVE-2026-48104

7-Zip (versions 9.18–26.00) contains an uninitialized heap read in the SquashFS archive handler. A sparsely populated index array causes _blockToNode to be allocated for all metadata blocks but only populated when an inode crosses a block boundary; images with few inodes spanning many blocks leav...

Linux Distros Unpatched Vulnerability : CVE-2026-48104

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - 7-Zip is a file archiver with a high compression ratio. Versions 9.18 through 26.00 contain an uninitialized heap read in the SquashFS archive handler caused by...

GHSA-CJM8-JXPW-G43M Mattermost doesn't validate 7zip archive structure before processing

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13, 11.4.x = 11.4.3 fail to validate 7zip archive structure before processing which allows an authenticated attacker to cause server memory exhaustion and denial of service via uploading a specially crafted 7zip file with excessive folder...

CVE-2026-32808 pyLoad: Arbitrary File Deletion via Path Traversal during Encrypted 7z Password Verification

pyLoad is a free and open-source download manager written in Python. Versions before 0.5.0b3.dev97 are vulnerable to path traversal during password verification of certain encrypted 7z archives encrypted files with non-encrypted headers, causing arbitrary file deletion outside of the extraction...

OPENSUSE-SU-2026:10227-1 python311-py7zr-1.1.0-1.1 on GA media

These are all security issues fixed in the python311-py7zr-1.1.0-1.1 package on the GA media of openSUSE Tumbleweed...

Fedora 44 : 7zip (2025-b5a4903ea0)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2025-b5a4903ea0 advisory. Automatic update for 7zip-25.01-1.fc44. Changelog Wed Nov 26 2025 Michel Lind - 25.01-1 - Update to 25.01 - 25.00+ fixes CVE-2025-11001; Resolves: rhbz241601...

SUSE: Security Advisory (SUSE-SU-2025:3791-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Linux Distros Unpatched Vulnerability : CVE-2025-11001

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected...

Linux Distros Unpatched Vulnerability : CVE-2025-11002

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - 7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected...

OPENSUSE-SU-2025:15523-1 7zip-25.01-1.1 on GA media

These are all security issues fixed in the 7zip-25.01-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2023-49102

NZBGet 21.1 allows authenticated remote code execution because the unarchive programs 7za and unrar preserve executable file permissions. An attacker with the Control capability can execute a file by setting the value of SevenZipCommand or UnrarCmd. NOTE: This vulnerability only affects products...

Vulnerabilities fixed in 7-zip

Vulnerabilities have been fixed in 7-zip. The vulnerabilities are located in the way 7Z and SQFS files are processed and allow a malicious person to execute arbitrary code execute arbitrary code in the context of the user. Successful exploitation requires the malicious party to trick the victim...

SUSE CVE-2016-8689

The readHeader function in archivereadsupportformat7zip.c in libarchive 3.2.1 allows remote attackers to cause a denial of service out-of-bounds read via multiple EmptyStream attributes in a header in a 7zip archive...

SUSE CVE-2019-1000019

libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards release v3.0.2 onwards contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archivereadsupportformat7zip.c, headerbytes that can result in a crash denial of service. This attack appears to be...

SUSE CVE-2022-44900

A directory traversal vulnerability in the SevenZipFile.extractall function of the python library py7zr v0.20.0 and earlier allows attackers to write arbitrary files via extracting a crafted 7z file...

GHSA-7HFM-57QF-J43Q Excessive Iteration in Compress

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package...

UBUNTU-CVE-2019-1000019

libarchive version commit bf9aec176c6748f0ee7a678c5f9f9555b9a757c1 onwards release v3.0.2 onwards contains a CWE-125: Out-of-bounds Read vulnerability in 7zip decompression, archivereadsupportformat7zip.c, headerbytes that can result in a crash denial of service. This attack appears to be...