CVE-2026-55206

miurahr · py7zr

The py7zr library contains a vulnerability related to inefficient algorithmic complexity, which can be exploited to cause a denial-of-service.

Executive summary

The py7zr library is susceptible to a denial-of-service attack due to inefficient algorithmic complexity when handling certain 7zip archive inputs.

Vulnerability

This vulnerability (CWE-407) involves inefficient algorithmic complexity, allowing unauthenticated attackers to trigger extreme processing delays or resource exhaustion. The flaw occurs during the decompression or processing phase of the library when handling specifically crafted, complex archives.

Business impact

By submitting a specially crafted archive, an attacker can force the application to consume excessive CPU cycles, resulting in a denial-of-service for the affected application. With a CVSS score of 8.7, this vulnerability poses a severe risk to the operational stability of any system relying on py7zr for archive processing.

Remediation

Immediate Action: Upgrade to py7zr version 1.1.3 or later, which addresses the algorithmic inefficiencies in the library.

Proactive Monitoring: Monitor for unusually long processing times for archive decompression tasks, which may indicate an exploitation attempt.

Compensating Controls: Deploy time-out mechanisms on all file processing functions to prevent a single malicious archive from locking up system threads indefinitely.

Exploitation status

Public Exploit Available: false

Analyst recommendation

The performance impact of this flaw can effectively render applications unavailable. It is critical to update to version 1.1.3 immediately and ensure that resource-intensive operations are wrapped in protective time-outs.