7-Zip Vulnerability Lets Malicious RAR5 Files Crash Systems

A critical denial-of-service vulnerability has been discovered in 7-Zip that allows attackers to crash systems using specially crafted RAR5 archive files.

The vulnerability, tracked as CVE-2025-53816, affects the popular compression software’s RAR5 decoder and can lead to memory corruption and system crashes when processing malicious archives.

Technical Details of the Vulnerability

Security researcher Jaroslav Lobačevski identified the flaw as GHSL-2025-058, which stems from a heap buffer overflow in the NCompress::NRar5::CDecoder component of 7-Zip version 24.09.

The vulnerability occurs when the RAR5 decoder attempts to repair corrupted archive items by filling them with zeros, but a miscalculation in the memory operation leads to writing data beyond the allocated buffer boundaries.

The root cause lies in the calculation of the rem value during the My_ZeroMemory(_window + _winPos, (size_t)rem) function call.

When processing corrupted RAR5 files, the decoder incorrectly computes how much memory to zero out, resulting in heap memory corruption.

The vulnerability is particularly dangerous because the _lzEnd value, which influences the buffer overflow size, depends on attacker-controlled data from previous archive items.

The vulnerability primarily causes denial-of-service attacks rather than arbitrary code execution. When 7-Zip processes a malicious RAR5 file, the heap buffer overflow consistently overwrites memory locations with zeros.

While this limits the potential for code execution exploits, it can reliably crash the application and potentially the entire system.

Testing revealed that the vulnerability affects both ASAN-compiled builds and official Windows builds of 7-Zip.

The proof-of-concept demonstrates that extracting a crafted RAR5 file using the command 7zz e -so rar-crash.rar5 triggers an immediate crash with a heap buffer overflow error. The vulnerability has been classified under CWE-122: Heap-based Buffer Overflow.

The vulnerability disclosure followed responsible security practices, with the issue reported privately on April 24, 2025. The 7-Zip development team acknowledged the report within five days on April 29, 2025.

A fix was successfully implemented and released in 7-Zip version 25.00 on July 5, 2025, completing the remediation process within approximately two months of initial reporting.

Users should immediately update to 7-Zip version 25.00 or later to protect against this vulnerability.

Organizations should exercise caution when processing RAR5 files from untrusted sources and consider implementing additional security measures for archive processing workflows.

Get Free Ultimate SOC Requirements Checklist Before you build, buy, or switch your SOC for 2025 - Download Now