CVE-2024-11612

22.11.2024, 21:15

7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability. This vulnerability allows remote attackers to create a denial-of-service condition on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation.

The specific flaw exists within the processing of streams. The issue results from a logic error that can lead to an infinite loop. An attacker can leverage this vulnerability to create a denial-of-service condition on the system. Was ZDI-CAN-24307.

Infinite Loop

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	NIST	6.5 MEDIUM	NETWORK	LOW	NONE	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
zdi	CNA	6.5 MEDIUM				CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
CISA-ADP	ADP	---				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: 26%

Debian Releases

Debian Product

Codename

7zip

bookworm	unimportant
trixie	24.09+dfsg-7 fixed
sid	24.09+dfsg-8 fixed

p7zip

bookworm	unimportant
bullseye	unimportant
sid	16.02+transitional.1 fixed
trixie	16.02+transitional.1 fixed

Ubuntu Releases

Ubuntu Product

Codename

7zip

plucky	not-affected
oracular	not-affected
noble	deferred
jammy	deferred
focal	dne

p7zip

plucky	not-affected
oracular	not-affected
noble	not-affected
jammy	deferred
focal	deferred
bionic	deferred
xenial	deferred
trusty	deferred

Common Weakness Enumeration

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')
The program contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

References

https://www.zerodayinitiative.com/advisories/ZDI-24-1606/