Primary

Context

7-Zip Invalid XZ File Handling Error

Vulnerability

A vulnerability exists in 7-Zip version 22.01, where the application fails to report errors for certain invalid XZ files related to stream flags and reserved bits. This issue can lead to unexpected behavior, as 7-Zip incorrectly indicates successful processing of corrupted files. In contrast, some later versions of 7-Zip do not exhibit this problem.

Impact

Exploitation of this vulnerability can result in 7-Zip incorrectly processing corrupted XZ files without reporting the errors, potentially leading to issues in applications that rely on 7-Zip for handling compressed data.

Reproduction

The vulnerability can be reproduced by using an invalid XZ file that triggers the error related to stream flags or reserved bits. After 7-Zip processes the file, it will return an 'OK' status, which is unexpected. This behavior can be verified by comparing the output of 7-Zip with the XZ utility, which correctly identifies the file as corrupted.

Added: Jun 9, 2025, 7:46 PM

Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

8.4

impact

2.5

exploitability

6.0

remediation

0.0

relevance

0.0

threat

6.4

urgency

2.9

incentive

0.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

7-Zip Invalid XZ File Handling Error

Vulnerability

Impact

Reproduction

Affected Products

7-Zip

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating