What is the new 7-Zip vulnerability CVE-2025-53816 and how can it crash systems using RAR5 files?
A newly discovered memory corruption vulnerability in 7-Zip, tracked as CVE-2025-53816, allows attackers to craft malicious RAR5 archive files that trigger heap-based buffer overflows, leading to denial-of-service (DoS) conditions. This flaw affects all 7-Zip versions prior to 25.00 and can crash systems by writing beyond allocated memory during archive recovery. Although it doesn’t enable remote code execution, it poses a significant risk, especially in environments where untrusted archives are processed automatically. Users are urged to update to 7-Zip version 25.00 to mitigate the threat.
Table of Contents
- What is the 7-Zip vulnerability discovered in July 2025?
- How does the 7-Zip RAR5 vulnerability work?
- Why is this vulnerability important?
- Disclosure Timeline: How quickly was it patched?
- Should you be worried if you're using 7-Zip?
- Technical Table: CVE-2025-53816 Summary
- Conclusion
- Frequently Asked Questions (FAQs)
What is the 7-Zip vulnerability discovered in July 2025?
A newly disclosed vulnerability in 7-Zip, one of the world’s most popular file archiving tools, has raised concerns across cybersecurity communities. The flaw, tracked as CVE-2025-53816 (GHSL-2025-058), is a heap-based buffer overflow in the RAR5 decoder component. It allows attackers to crash the application by feeding it a maliciously crafted RAR5 archive, creating a Denial-of-Service (DoS) condition.
While the vulnerability does not permit arbitrary code execution, it still poses a medium severity threat (CVSS score 5.5), especially for systems that regularly process untrusted archive files—such as mail servers, automation systems, or corporate document workflows.
How does the 7-Zip RAR5 vulnerability work?
The issue lies in NCompress::NRar5::CDecoder, a function that handles RAR5 files in 7-Zip. When trying to recover from damaged archive data, 7-Zip attempts to zero-out corrupted memory using this instruction:
My_ZeroMemory(_window + _winPos, (size_t)rem)
Here, rem is derived from _lzEnd - lzSize, and _lzEnd depends on the size of previous RAR5 items—something that an attacker can control. The flaw enables writing zero bytes far beyond the intended memory region, leading to crashes or memory corruption.
Security researcher Jaroslav Lobačevski from GitHub Security Lab detected this using AddressSanitizer (ASAN). His PoC showed that over 9,400 bytes were written past the buffer boundary in a test case.
Why is this vulnerability important?
-
Widespread Use of 7-Zip: With over 1.3 million monthly visits to its website and countless downloads, 7-Zip is heavily used in both personal and enterprise environments.
-
Archive-Based Malware Delivery: Archive formats like ZIP and RAR are now the #1 malware delivery method (39% of threats), making archive tools frequent targets.
-
Automated Processing Risks: Systems that auto-process incoming archives (e.g., email attachments, backups, pipelines) could crash unexpectedly if fed a malicious file.
-
Potential Workflow Disruptions: Even though remote code execution is unlikely, crashing key workflows or applications is enough to cause major damage.
Disclosure Timeline: How quickly was it patched?
| Date | Event |
|---|---|
| April 24, 2025 | Vulnerability privately reported to 7-Zip developers |
| April 29, 2025 | Acknowledged by the development team |
| July 5, 2025 | Patched in version 25.00 |
The vulnerability has been fully patched in 7-Zip version 25.00, which also includes performance enhancements and better CPU thread usage.
Should you be worried if you're using 7-Zip?
If you're using any version prior to 25.00, your system is vulnerable to crashing by malicious RAR5 files. Even though this flaw doesn’t allow full system takeover, the ability to crash or disrupt systems at will is still a powerful tool in a hacker’s arsenal—especially for ransomware groups or initial access brokers who rely on creating distractions.
Recommendations for Users and Admins
-
Update Immediately: Download 7-Zip version 25.00 or later from the official site. Since there’s no auto-update, manual action is required.
-
Avoid Processing Unknown Archives Automatically: Implement strict rules for scanning or sandboxing archive files before processing.
-
Monitor File Activity: Use EDR/XDR tools to watch for abnormal file behavior or application crashes linked to 7-Zip.
-
Harden Archive Handling Pipelines: Segment systems that process user-submitted files to limit blast radius in case of attack.
Technical Table: CVE-2025-53816 Summary
| Attribute | Details |
|---|---|
| Vulnerability ID | CVE-2025-53816 (GHSL-2025-058) |
| Severity | Medium (CVSS 5.5) |
| Discovered by | Jaroslav Lobačevski (GitHub Security Lab) |
| Affected Software | 7-Zip (prior to v25.00) |
| Impact | Denial of Service via heap-based buffer overflow |
| Root Cause | Miscalculated memory offset in RAR5 zero-fill routine |
| Exploit Vector | Malicious RAR5 archive file |
| Patch Released | July 5, 2025 (v25.00) |
| Risk Mitigation | Manual update + disable automatic archive handling |
Conclusion
This incident serves as a reminder of the hidden dangers in widely-used utilities. File decompression tools often operate silently in the background, yet they’re frequently exposed to untrusted input. As threat actors continue to evolve their techniques, even simple actions like opening an archive file can become a vector for compromise.
Keep your tools updated, monitor memory-based vulnerabilities, and always handle untrusted files with caution.
FAQs
What is CVE-2025-53816?
CVE-2025-53816 is a vulnerability in 7-Zip's RAR5 decoder that causes memory corruption and potential system crashes.
How does this 7-Zip vulnerability work?
It exploits a miscalculation in memory operations during corrupted archive recovery, leading to heap buffer overflow.
Which versions of 7-Zip are affected?
All versions before 7-Zip 25.00 are affected by this flaw.
Who discovered the 7-Zip CVE-2025-53816 bug?
It was discovered by Jaroslav Lobačevski of GitHub Security Lab.
Is this vulnerability remotely exploitable?
No, it doesn’t allow remote code execution but can still crash systems by processing malicious files.
How severe is the 7-Zip CVE-2025-53816 vulnerability?
It has a CVSS score of 5.5, which is considered medium severity.
What are RAR5 files?
RAR5 is a newer compression format used by WinRAR and supported by 7-Zip.
Can antivirus software detect malicious RAR5 files?
Some advanced antivirus tools may detect malicious RAR5 files, but not all are equipped for this.
What can happen if the vulnerability is exploited?
The system may crash or automated processes that rely on 7-Zip may be disrupted.
Is there a patch available?
Yes, version 25.00 of 7-Zip fixes this issue.
How do I update 7-Zip?
You must manually download the latest version from the official 7-Zip website.
What should organizations do to protect systems?
Organizations should apply the latest patch and avoid processing untrusted archives.
Does this vulnerability affect Linux or macOS?
7-Zip primarily runs on Windows, but any platform running the affected version may be vulnerable.
Why are archive file vulnerabilities dangerous?
They are often used to deliver malware and bypass security filters.
Is this vulnerability actively exploited in the wild?
There are no confirmed exploits in the wild yet, but PoCs exist.
What is a heap-based buffer overflow?
It’s a memory flaw where excess data overwrites adjacent memory on the heap, potentially causing crashes.
Can this flaw lead to data loss?
Yes, if memory corruption crashes active processes, unsaved data may be lost.
Why doesn’t 7-Zip auto-update?
7-Zip lacks built-in update functionality, requiring manual updates.
What should enterprise users do?
Update all systems using 7-Zip and monitor for abnormal archive behavior.
What is the role of AddressSanitizer in this discovery?
It was used to detect and confirm the heap buffer overflow during testing.
How popular is 7-Zip?
It receives over 1.3 million monthly visits and is used globally in personal and enterprise systems.
Could this vulnerability be used in phishing campaigns?
Yes, attackers may embed the RAR5 file in phishing emails to crash user systems.
What is GHSL-2025-058?
It is GitHub’s internal ID for tracking the disclosed vulnerability.
What kind of data can be at risk?
While no data theft occurs, disrupted systems may impact operations and availability.
Is this vulnerability related to ransomware?
No, but it can be used in conjunction with other tactics to disable defenses or workflows.
Who is Igor Pavlov?
He is the developer of 7-Zip and released the patched version (25.00) fixing the bug.
When was this vulnerability reported and patched?
It was reported on April 24, acknowledged on April 29, and patched on July 5, 2025.
Should users stop using 7-Zip?
No, but they must upgrade to version 25.00 or later for safety.
What should users do after updating?
Delete older versions and confirm that the system runs 7-Zip 25.00 or above.
What other improvements are in 7-Zip 25.00?
Performance enhancements and better CPU thread usage for compression tasks.
Where can I download the updated 7-Zip?
From the official 7-Zip website: https://www.7-zip.org/
![Top 10 Ethical Hackers in the World [2025]](https://www.webasha.com/blog/uploads/images/202408/image_100x75_66c2f983c207b.webp)
![[2025] Top 100+ VAPT Interview Questions and Answers](https://www.webasha.com/blog/uploads/images/image_100x75_6512b1e4b64f7.jpg)
