CVE-2022-47112 - Exploring the 7-Zip 22.01 xz File Parsing Bug—How Invalid XZ Files Slip By

---

*7-Zip is a popular open source archiving tool, trusted for handling formats like zip, rar, and the impressive xz. But even the best codes have their cracks. In 7-Zip version 22.01, a subtle bug lets certain broken xz files slide through without errors, giving attackers a new puzzle piece for crafting exploit chains. Here’s what went wrong, how the bug looks in practice, and what you can do if you're affected.*

What is CVE-2022-47112?

CVE-2022-47112 is a vulnerability originating in how 7-Zip 22.01 parses .xz archives. The bug means invalid xz files—specifically ones with incorrect stream flags or reserved bits set—don’t trigger error messages when they should. The parser ends up acting as if the file is fine.

Why does this matter?

- If 7-Zip doesn’t spot a corrupt or intentionally malformed XZ archive, it could allow sneaking past integrity or malware checks, or poison how files are handled downstream.

This behavior could chain into more serious issues, if an attacker can plant special xz files.

Later versions fixed the problem, so newer releases are safe.

The Anatomy of the Bug

XZ File Structure Quick Recap:
An xz file starts with a stream header, followed by data, then a stream footer. In that header and footer, there’re "stream flags" and some reserved bits—unused bits that are supposed to be zeroed for future compatibility, according to the XZ File Format Specification.

The bug:
7-Zip 22.01 fails to validate these stream flags and reserved bits. If you flip some reserved bits to 1, you’re creating an invalid xz file. 7-Zip, however, doesn’t complain. It goes through parsing (and maybe extraction), as if nothing’s wrong.

Code Snippet: Patch Example

Let’s see how a check might look in a codebase like 7-Zip. (Pseudocode for illustration.)

// Old vulnerable code:
ReadStreamFlags(streamFlags);
// ...proceed without proper check...

// Fixed code (simplified):
ReadStreamFlags(streamFlags);
if ((streamFlags & RESERVED_BITS_MASK) != ) {
    ReportError("Invalid reserved bits in stream flags");
    return Error;
}

Here, RESERVED_BITS_MASK would reflect which bits should be zero.

Exploit Details: How Malformed XZ Files Slip In

An attacker can create a custom xz file—with reserved bits in the stream flags set—that should fail validation.

Open the file with 7-Zip 22.01.

4. Observe: Unlike newer versions, 7-Zip 22.01 does not display any error, and may act like the archive is valid.

Example (Python snippet for quick test)

with open('myfile.xz', 'rb+') as f:
    f.seek(6)  # Stream Flags start byte (verify with spec)
    val = f.read(1)
    new_byte = bytes([val[] | b00010000])  # Set a reserved bit
    f.seek(6)
    f.write(new_byte)

Open this edited file in 7-Zip 22.01. No complaint about corruption!

Impact: Why Should You Care?

For most end-users, this bug looks minor—you won’t notice day-to-day. But for security tools, auditors, and upstream pipelines that trust 7-Zip as a reliable validator, it matters. Accepting broken archives can open doors—especially if used as part of a larger exploit method, or in cases where being able to bypass “bad file” rejection is important to an attacker.


### Who’s Affected/Fixes

Affected: 7-Zip version 22.01 (and possibly some prior releases)

- Not Affected: Later versions (such as 23.00+) that have added stream flag and reserved bit validation.

Patch/Upgrade:
Update 7-Zip to the latest official release to avoid this risk. Linux distros with 7-Zip packages should be checked for version number.

References

- XZ File Format Spec
- 7-Zip Download Page (Official)
- CVE-2022-47112 Entry - NIST
- Original Advisory on GitHub (“7Zip does not reject invalid Lzma2 or XZ files”)

Final Words

CVE-2022-47112 is a good reminder: even the best software can miss a check or two. For critical uses—stuff like digital forensics, malware scanning, and high-sensitivity file handling—trust only up-to-date tools. A single unchecked bit might seem harmless, but in security, small cracks let water in.

Want to try it? Edit a small xz file, flip a reserved bit, and see how different 7-Zip versions behave.

*Stay safe, keep 7-Zip fresh, and remember to check your bits!*


*If you liked this deep-dive, check out more vulnerability research at your favorite open source security blog!*

Timeline

Published on: 04/19/2025 21:15:45 UTC
Last modified on: 04/21/2025 14:23:45 UTC