CVE-2024-11477 - 7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability Explained

7-Zip is a leading open-source file archiver, renowned for its support of multiple compression formats, including ZIP, RAR, 7z, and more recently, Zstandard (ZSTD). In early 2024, a serious vulnerability (CVE-2024-11477) in the way 7-Zip processes Zstandard files came to light, putting millions of users and applications at risk. If you use 7-Zip or rely on its libraries in your projects, this long read will help you understand the issue, its impact, and what you can do to protect yourself.

What is CVE-2024-11477?

CVE-2024-11477 is a remote code execution (RCE) vulnerability caused by an integer underflow within the Zstandard decompression routine of 7-Zip. It was originally discovered and reported as ZDI-CAN-24346 by Zero Day Initiative.

Key Points

- Software Affected: 7-Zip (All versions prior to fixed release, including standalone binaries and library integrations)

Vulnerability Type: Integer Underflow leading to remote code execution

- Attack Requirements: Attacker-controlled Zstandard (.zst) file needs to be opened or processed by the target (user interaction or application processing)

Where’s the Bug?

When decompressing a Zstandard archive, 7-Zip reads and processes user-supplied data to determine how much memory to allocate, where to write, and how to proceed with uncompression. In certain scenarios, a clever attacker can construct a malicious Zstandard file with specially crafted headers that cause an integer variable to “wrap around”, resulting in an incorrect and extremely large size (or even a negative value interpreted unsigned as a huge positive number).

This is called an integer underflow and can result in buffer overflows or writing data to unintended locations in memory.

If an attacker gets 7-Zip to process such a file, they can potentially execute code of their choosing on the victim’s computer, using the current permissions of the user or application running the decompression.

For illustration purposes, here’s what this kind of vulnerability often looks like in C/C++ code

// Simplified pseudocode based on public analysis

uint32_t chunkSize = read_chunk_size(header); // reads from file, attacker-controlled

uint32_t bufferSize = chunkSize - HEADER_SIZE; // The bug: no check for underflow

char* buffer = (char*)malloc(bufferSize);
if (!buffer) crash();

// ...process archive data, copy to buffer...
memcpy(buffer, src, bufferSize); // Dangerous if bufferSize extremely large or wraps around!

If chunkSize is less than HEADER_SIZE, then bufferSize becomes a huge positive number (due to wrap-around) and malloc might succeed or fail, but later memory access can smash the stack or heap, enabling the attacker to inject code.

Exploit Possibilities

Remote attackers can craft a malicious .zst or .7z file with a Zstandard-compressed payload. Attack vectors include:

- Convincing a user to open/extract the file with 7-Zip’s GUI or command-line tool

Bypassing email or upload scans (until the file is decompressed)

Escalate privileges (depending on system configs)

Proof of Concept (PoC):
A real-world PoC is not public as of this writing, but researchers have demonstrated in private that a malicious .zst file can result in execution of supplied shellcode after opening/extracting with a vulnerable 7-Zip build.

End users who open files from untrusted sources.

- Developers who use the 7-Zip library (such as in backup, archive management, or cloud upload tools).

Update 7-Zip

Always use the latest release of 7-Zip. As of the release window of this vulnerability, maintainers issued a patch that tightens checks on all input math, preventing underflows.

Audit Your Dependencies

If you use 7-Zip as a library, verify your build includes the fixed code or update to a patched version.

References & Further Reading

- CVE-2024-11477 at NVD
- Zero Day Initiative Advisory ZDI-24-526
- 7-Zip Official Site & Downloads
- Understanding Integer Underflows - OWASP

Final Thoughts

CVE-2024-11477 is a stark reminder that even widely respected, open-source utilities can hide dangerous bugs for years. If you or your organization rely on 7-Zip, take immediate action: update, audit, and educate users against opening suspicious files. While interaction is required for exploitation, the vast number of systems using 7-Zip means this bug will linger in the wild—be vigilant!


*If this long read helped you stay secure, consider sharing it with your team. Stay safe and keep your software up to date!*

Timeline

Published on: 11/22/2024 21:15:08 UTC