CVE-2024-11477: Critical Flaw in 7-Zip Allows Hackers to Take Control

A vulnerability has been discovered in the 7-Zip file compression tool, enabling attackers to remotely execute malicious code through specially crafted archives. To address the issue, the developers have released an update, which must be installed manually, as the program does not support automatic updates.

The flaw, identified as CVE-2024-11477, carries a severity rating of 7.8 on the CVSS scale. It arises from insufficient input validation when processing files compressed using the Zstandard algorithm, potentially leading to memory overflow and malicious code injection. Zstandard is widely employed in systems such as Btrfs, SquashFS, and OpenZFS, as well as for HTTP compression, owing to its high performance and efficient compression capabilities.

Attackers can exploit this vulnerability by sending users maliciously crafted archives, for instance, via email or shared network resources. Opening such a file could result in the execution of harmful code.

The issue was uncovered in June 2024 by researchers from Trend Micro’s Zero-Day Initiative and has been resolved in version 7-Zip 24.07. The latest version, 24.08, is now available for download on the program’s official website. Users are strongly advised to update to the latest version or, if 7-Zip is not essential, to uninstall the program, as modern versions of Windows File Explorer natively support 7-Zip files.