Critical 7-Zip Vulnerability Exposes Millions of Systems to Remote Code Execution
A high-severity vulnerability (CVE-2024-*, rated 8.8) in the widely used open-source utility 7-Zip has been disclosed, allowing attackers to execute malicious code simply by tricking users into opening a crafted archive. The flaw affects all versions prior to 26.01, released in late April, and requires no further interaction merely opening a booby-trapped file (.7z, .zip, .rar, or even disguised NTFS disk images) on a system with at least 16 GB of RAM is sufficient for exploitation.
The impact is severe due to 7-Zip’s ubiquity. Beyond the Windows GUI application, command-line variants across multiple operating systems including Linux distributions with outdated p7zip ports are vulnerable. Millions of CI/CD pipelines, automated scripts, and server processes that interact with archives (even just to list contents) are at risk. With over 400 million downloads on SourceForge and 24.5 million via Chocolatey, plus widespread inclusion in Linux servers, VMs, and Docker images, the potential attack surface spans hundreds of millions of machines.
The vulnerability extends further due to 7-Zip’s integration into third-party software. Antivirus scanners, backup tools, log analyzers, file managers, and malware sandboxes often embed 7-Zip’s libraries, many of which run with elevated permissions. Exploitation requires no user interaction in these cases, enabling drive-by attacks via poisoned archives.
The flaw stems from a bug in 7-Zip’s handling of NTFS disk images, where an attacker can manipulate buffer values to trigger arbitrary code execution. Notably, 7-Zip ignores file extensions, relying instead on file headers meaning malicious NTFS images can be hidden within standard archive formats.
Testing confirms vulnerable versions are present in Ubuntu 24/26, RHEL 8, Fedora, and many OEM systems that bundle 7-Zip by default. Without built-in update mechanisms, mitigation depends on manual upgrades or package manager updates.
Ubuntu cybersecurity rating report: https://www.rankiteo.com/company/ubuntu-linux
"id": "UBU1779978504",
"linkid": "ubuntu-linux",
"type": "Vulnerability",
"date": "4/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Millions of systems (Windows, '
'Linux, CI/CD pipelines, '
'servers, VMs, Docker images)',
'industry': 'Software/Technology',
'location': 'Global',
'name': '7-Zip',
'size': 'Millions of users (400M+ downloads on '
'SourceForge, 24.5M via Chocolatey)',
'type': 'Open-source software utility'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Ubuntu',
'type': 'Operating System'},
{'industry': 'Technology',
'location': 'Global',
'name': 'RHEL 8',
'type': 'Operating System'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Fedora',
'type': 'Operating System'},
{'industry': 'Technology',
'location': 'Global',
'name': 'Third-party software vendors',
'type': 'Software (Antivirus, backup tools, log '
'analyzers, file managers, malware '
'sandboxes)'}],
'attack_vector': 'Malicious archive files (.7z, .zip, .rar, NTFS disk images)',
'description': 'A high-severity vulnerability (CVE-2024-*, rated 8.8) in the '
'widely used open-source utility 7-Zip has been disclosed, '
'allowing attackers to execute malicious code simply by '
'tricking users into opening a crafted archive. The flaw '
'affects all versions prior to 26.01, released in late April, '
'and requires no further interaction. Exploitation can occur '
'by opening a booby-trapped file (.7z, .zip, .rar, or '
'disguised NTFS disk images) on a system with at least 16 GB '
'of RAM.',
'impact': {'operational_impact': 'Potential compromise of automated scripts, '
'server processes, and third-party software '
'embedding 7-Zip libraries',
'systems_affected': 'Hundreds of millions of machines (Windows, '
'Linux, CI/CD pipelines, servers, VMs, Docker '
'images)'},
'post_incident_analysis': {'corrective_actions': 'Patch vulnerability in '
'version 26.01, improve file '
'handling validation',
'root_causes': "Buffer manipulation in 7-Zip's "
'handling of NTFS disk images, '
'allowing arbitrary code execution'},
'recommendations': 'Upgrade 7-Zip to version 26.01 or later, audit '
'third-party software for embedded 7-Zip libraries, and '
'monitor for malicious archive files.',
'references': [{'source': 'SourceForge',
'url': 'https://sourceforge.net/projects/sevenzip/'},
{'source': 'Chocolatey',
'url': 'https://chocolatey.org/packages/7zip'}],
'response': {'containment_measures': 'Manual upgrades to version 26.01 or '
'later, package manager updates',
'remediation_measures': 'Upgrade 7-Zip to version 26.01 or '
'later'},
'title': 'Critical 7-Zip Vulnerability Exposes Millions of Systems to Remote '
'Code Execution',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2024-* (Buffer manipulation in NTFS disk '
'image handling)'}