CVE-2026-55206
miurahr · py7zr
The py7zr library contains a vulnerability related to inefficient algorithmic complexity, which can be exploited to cause a denial-of-service.
Executive summary
The py7zr library is susceptible to a denial-of-service attack due to inefficient algorithmic complexity when handling certain 7zip archive inputs.
Vulnerability
This vulnerability (CWE-407) involves inefficient algorithmic complexity, allowing unauthenticated attackers to trigger extreme processing delays or resource exhaustion. The flaw occurs during the decompression or processing phase of the library when handling specifically crafted, complex archives.
Business impact
By submitting a specially crafted archive, an attacker can force the application to consume excessive CPU cycles, resulting in a denial-of-service for the affected application. With a CVSS score of 8.7, this vulnerability poses a severe risk to the operational stability of any system relying on py7zr for archive processing.
Remediation
Immediate Action: Upgrade to py7zr version 1.1.3 or later, which addresses the algorithmic inefficiencies in the library.
Proactive Monitoring: Monitor for unusually long processing times for archive decompression tasks, which may indicate an exploitation attempt.
Compensating Controls: Deploy time-out mechanisms on all file processing functions to prevent a single malicious archive from locking up system threads indefinitely.
Exploitation status
Public Exploit Available: false
Analyst recommendation
The performance impact of this flaw can effectively render applications unavailable. It is critical to update to version 1.1.3 immediately and ensure that resource-intensive operations are wrapped in protective time-outs.