The Digital Security Authority (DSA) wants to bring to your attention, a critical vulnerability (CVE-2024-11477) in 7-Zip that allows attackers to execute malicious code simply by decompressing a zip file. 

Technical Details

Threat Actors can craft archive files (.7z, .zip) that trigger the vulnerability during decompression. When the user extracts these files, the malicious payload executes on their system. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory.

Affected Products:

All 7-Zip versions prior to  24.7 7 Zip version

Recommendations

The Digital Security Authority recommends updating the affected versions to the fixed or latest version - version 7-Zip 24.07 

References

1. https://nvd.nist.gov/vuln/detail/CVE-2024-11477
2. https://cwe.mitre.org/data/definitions/191.html

The information presented in this report is based on available data up to the 1st  of January 2025.