VulnerableCode Package Details - pkg:deb/debian/7zip@26.00%2Bdfsg-4?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-bzcx-rxg3-aygs	7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24346.	CVE-2024-11477
VCID-h4pw-pga4-77ex	7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.	CVE-2025-0411
VCID-hgkj-wq8u-q3eh	The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc.	CVE-2023-52168
VCID-uebs-8u4d-3bd1	The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process.	CVE-2023-52169

Vulnerability

Summary

Aliases

VCID-bzcx-rxg3-aygs

7-Zip Zstandard Decompression Integer Underflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the implementation of Zstandard decompression. The issue results from the lack of proper validation of user-supplied data, which can result in an integer underflow before writing to memory. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-24346.

CVE-2024-11477

VCID-h4pw-pga4-77ex

7-Zip Mark-of-the-Web Bypass Vulnerability. This vulnerability allows remote attackers to bypass the Mark-of-the-Web protection mechanism on affected installations of 7-Zip. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file. The specific flaw exists within the handling of archived files. When extracting files from a crafted archive that bears the Mark-of-the-Web, 7-Zip does not propagate the Mark-of-the-Web to the extracted files. An attacker can leverage this vulnerability to execute arbitrary code in the context of the current user. Was ZDI-CAN-25456.

CVE-2025-0411

VCID-hgkj-wq8u-q3eh

The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains a heap-based buffer overflow that allows an attacker to overwrite two bytes at multiple offsets beyond the allocated buffer size: buffer+512*i-2, for i=9, i=10, i=11, etc.

CVE-2023-52168

VCID-uebs-8u4d-3bd1

The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process.

CVE-2023-52169

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T11:42:58.804432+00:00	Debian Importer	Fixing	VCID-hgkj-wq8u-q3eh	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T11:06:30.583429+00:00	Debian Importer	Fixing	VCID-bzcx-rxg3-aygs	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:05:41.560562+00:00	Debian Importer	Fixing	VCID-uebs-8u4d-3bd1	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T08:43:10.112670+00:00	Debian Importer	Fixing	VCID-h4pw-pga4-77ex	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-13T07:59:07.845822+00:00	Debian Importer	Fixing	VCID-hgkj-wq8u-q3eh	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-13T07:32:43.642000+00:00	Debian Importer	Fixing	VCID-bzcx-rxg3-aygs	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:05:36.485989+00:00	Debian Importer	Fixing	VCID-uebs-8u4d-3bd1	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T17:51:29.967552+00:00	Debian Importer	Fixing	VCID-h4pw-pga4-77ex	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-02T17:12:30.285041+00:00	Debian Importer	Fixing	VCID-hgkj-wq8u-q3eh	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:10:24.844727+00:00	Debian Importer	Fixing	VCID-bzcx-rxg3-aygs	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:03:47.813986+00:00	Debian Importer	Fixing	VCID-uebs-8u4d-3bd1	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-02T17:02:27.510018+00:00	Debian Importer	Fixing	VCID-h4pw-pga4-77ex	https://security-tracker.debian.org/tracker/data/json	38.1.0