Two Vulnerabilities in 7-Zip Could Trigger Denial of Service

Researchers have disclosed two newly identified vulnerabilities in 7-Zip, one of the world’s most widely used open-source file archivers. Both issues—CVE-2025-53816 and CVE-2025-53817—affect versions prior to 7-Zip 25.0.0, and while they are not believed to enable remote code execution, they pose a risk of memory corruption and denial of service (DoS).

The vulnerabilities have been assigned a CVSSv4 base score of 5.5, placing them in the medium severity range, yet serious enough to warrant immediate attention—especially for users processing untrusted archive files.

The first flaw (CVE-2025-53816) lies in 7-Zip’s handling of RAR5 archives. Specifically, the software improperly calculates how many bytes to zero out in memory when extracting files, based on attacker-controlled values.

“Zeroes written outside heap buffer in RAR5 handler may lead to memory corruption and denial of service in versions of 7-Zip prior to 25.0.0,” reads the CVE description.

This is due to incorrect arithmetic involving the _lzEnd variable, which depends on the size of the previous item in the archive and can be influenced by the attacker.

“The attacker may control how many bytes to overwrite… unlikely it could lead to arbitrary code execution, but it may lead to denial of service because of the memory corruption,” the advisory explains.

While there is no evidence yet that this vulnerability can be weaponized for code execution, corrupting memory in heap space opens the door for process instability or crashes.

The second vulnerability (CVE-2025-53816) affects 7-Zip’s support for extracting files from Compound Document formats. By crafting a malformed Compound Document file, an attacker could cause the 7-Zip application to crash unexpectedly, disrupting workflows and possibly causing service interruptions in automated file processing environments.

Both vulnerabilities have been addressed in the latest 7-Zip version 25.0.0. Users are urged to update immediately to ensure safe handling of compressed archives—especially those from untrusted or unknown sources.

Related Posts:

• CVE-2025-0411: 7-Zip Security Vulnerability Enables Code Execution – Update Now
• CVE-2025-0411: 7-Zip Vulnerability Exploited in Attacks on Ukraine
• PoC for 7-Zip CVE-2025-0411 Lets Attackers Bypass MotW and Run Malicious Code
• 7-Zip Privilege Escalation Vulnerability
• 7-Zip Vulnerability Allows Remote Code Execution, Update Now!

Support Our Threat Intelligence

If you find our CVE report and cybersecurity news helpful, consider supporting our work.

Buy Me a Coffee PayPal

Crypto

USDT (TRC20):

TN8BdV8cp4T1Cd28gK9qTAnZknzzuwyUtm Copy

USDT (ERC20):

0x3725e1a7d3bc5765499fa6aaafe307fabcd75bce Copy