CVE-2024-11477

7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24346.
Wrap or Wraparound
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTNIST
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
zdiCNA
7.8 HIGH
CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CISA-ADPADP
---
---
CVEADP
---
---
Base Score
CVSS 3.x
EPSS Score
Percentile: 96%
VendorProductVersion
7-zip7-zip
𝑥
< 24.07
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
7zip
bookworm
22.01+dfsg-8+deb12u1
not-affected
trixie
24.09+dfsg-7
fixed
sid
24.09+dfsg-8
fixed
p7zip
bookworm
16.02+dfsg-8
not-affected
bullseye
16.02+dfsg-8
fixed
sid
16.02+transitional.1
fixed
trixie
16.02+transitional.1
fixed
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
7zip
plucky
not-affected
oracular
not-affected
noble
not-affected
jammy
not-affected
focal
dne
p7zip
plucky
not-affected
oracular
not-affected
noble
not-affected
jammy
needs-triage
focal
needs-triage
bionic
needs-triage
xenial
needs-triage
trusty
needs-triage
Common Weakness Enumeration
References
https://www.zerodayinitiative.com/advisories/ZDI-24-1532/
https://security.netapp.com/advisory/ntap-20250214-0007/