PT-2023-4490 · Igor Pavlov +1 · 7-Zip +1
Goodbyeselene
·
Published
2023-08-23
·
Updated
2025-08-12
·
CVE-2023-40481
10
High
| Base vector | Vector | AV:N/AC:L/Au:N/C:C/I:C/A:C |
Name of the Vulnerable Software and Affected Versions:
7-Zip (affected versions not specified)
Description:
This issue allows remote attackers to execute arbitrary code on affected installations of 7-Zip. User interaction is required to exploit this issue, where the target must visit a malicious page or open a malicious file. The specific flaw exists within the parsing of SQFS files, resulting from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this issue to execute code in the context of the current process.
Recommendations:
At the moment, there is no information about a newer version that contains a fix for this issue.
Fix
RCE
Memory Corruption
Related Identifiers
Affected Products
References · 19
- https://cve.org/CVERecord?id=CVE-2023-40481 · Security Note
- https://security-tracker.debian.org/tracker/CVE-2023-40481 · Vendor Advisory
- https://security-tracker.debian.org/tracker/source-package/7zip · Vendor Advisory
- https://bdu.fstec.ru/vul/2023-04886 · Security Note
- https://nvd.nist.gov/vuln/detail/CVE-2023-40481 · Security Note
- https://osv.dev/vulnerability/UBUNTU-CVE-2023-40481 · Vendor Advisory
- https://osv.dev/vulnerability/CVE-2023-40481 · Vendor Advisory
- https://safe-surf.ru/specialists/bulletins-nkcki/697872 · Security Note
- https://zerodayinitiative.com/advisories/ZDI-23-1164 · Security Note
- https://safe-surf.ru/specialists/bulletins-nkcki/713182 · Security Note
- https://ubuntu.com/security/CVE-2023-40481 · Vendor Advisory
- https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269 · Vendor Advisory
- http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40481 · Security Note
- https://twitter.com/s4mb4sh/status/1696530480492134589 · Twitter Post
- https://vuldb.com/ru/?id.237882 · Note