New 7-Zip Vulnerability Enables Malicious RAR5 File to Crash Your System

A critical memory corruption vulnerability in the popular file archiver 7-Zip has been discovered that allows attackers to trigger denial of service conditions by crafting malicious RAR5 archive files.

The vulnerability, tracked as CVE-2025-53816 and designated GHSL-2025-058, affects all versions of 7-Zip prior to version 25.00.

Security researcher Jaroslav Lobačevski discovered the vulnerability from GitHub Security Lab and has been assigned a CVSS score of 5.5, placing it in the medium severity range.

While the flaw is unlikely to lead to arbitrary code execution, it poses significant risks for denial-of-service attacks against systems processing untrusted archive files.

7-Zip Memory Corruption Vulnerability

The vulnerability stems from a heap-based buffer overflow in 7-Zip’s RAR5 decoder implementation. Specifically, the flaw occurs in the NCompress::NRar5::CDecoder component when the software attempts to recover from corrupted archive data by filling damaged sections with zeros.

The root cause lies in a miscalculation of the rem value during memory zeroing operations. When processing RAR5 archives, the decoder calls My_ZeroMemory(_window + _winPos, (size_t)rem) where the rem parameter is calculated as _lzEnd - lzSize.

However, the _lzEnd variable depends on the size of previous items in the archive, which can be controlled by attackers.

This miscalculation allows attackers to write zeros beyond the allocated heap buffer, potentially corrupting adjacent memory regions and causing application crashes.

Testing with AddressSanitizer (ASAN) demonstrated that specially crafted RAR5 files can trigger heap buffer overflows, with one proof-of-concept causing a write of 9,469 bytes beyond the allocated buffer.

7-Zip is one of the world’s most widely used file archiving utilities, with the official website receiving over 1.3 million monthly visits and the software downloaded millions of times through various distribution channels.

The software’s popularity in both personal and enterprise environments amplifies the potential impact of this vulnerability.

Memory corruption vulnerabilities like this one can have severe consequences, including system crashes, data corruption, and service disruptions.

While this specific vulnerability is unlikely to enable remote code execution, it provides attackers with a reliable method to crash 7-Zip processes, potentially disrupting automated file processing systems or user workflows.

The vulnerability is particularly concerning because archive files have become the top choice for cyberattacks, accounting for 39% of all malware delivery methods according to recent threat research.

Malicious actors regularly exploit archive processing vulnerabilities to bypass security measures and deliver payloads.

Disclosure Timeline and Response

The vulnerability was responsibly disclosed through a coordinated disclosure process:

• April 24, 2025: Reported as a private issue to 7-Zip developers
• April 29, 2025: Report acknowledged by the development team
• July 5, 2025: Fixed in 7-Zip version 25.00

Developer Igor Pavlov addressed the vulnerability in 7-Zip 25.00, which was released on July 5, 2025. The update also includes performance improvements and enhanced CPU thread utilization for compression operations.

Security experts strongly recommend that all 7-Zip users immediately upgrade to version 25.00 or later. Since 7-Zip lacks automatic update functionality, users must manually download and install the latest version from the official website.

Organizations processing untrusted archive files should implement additional security measures, including restricting access to potentially malicious RAR5 archives and deploying comprehensive file validation before processing.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now