Table of contents
- Memory corruption bug: CVE-2025-53816 hits 7-Zip
- How the attack works: overflow and miscalculated zeroes
- No remote code, but serious denial-of-service risk
- Why this vulnerability is alarming
- How to stay protected
Memory corruption bug: CVE-2025-53816 hits 7-Zip
A new memory corruption vulnerability has been discovered in 7-Zip, one of the most widely used file archivers globally. Identified as CVE-2025-53816 (also known as GHSL-2025-058), it affects all versions prior to 25.00 and can be exploited by cybercriminals to launch denial-of-service (DoS) attacks using malformed RAR5 archives.
Discovered by security researcher Jaroslav Lobačevski, the bug carries a CVSS score of 5.5, placing it in the medium severity category. However, it still poses significant risks for any systems processing untrusted archive files.
How the attack works: overflow and miscalculated zeroes
The vulnerability is caused by a heap buffer overflow in the RAR5 decoder module of 7-Zip, specifically in the NCompress::NRar5::CDecoder component. The issue arises when the software tries to recover corrupted archive data by filling damaged sections with zeroes.
A miscalculation in the parameter rem, triggered by attacker-controlled archive metadata, leads to out-of-bounds memory writes. During testing with AddressSanitizer, a specially crafted RAR5 file caused a buffer overrun of 9,469 bytes, clearly proving the flaw’s exploitability.
No remote code, but serious denial-of-service risk
This flaw doesn’t allow remote code execution, but it does offer attackers a reliable way to crash the application, corrupt memory, or interrupt services that depend on 7-Zip.
In enterprise environments, this could halt automated processing pipelines, antivirus routines, or backup systems, leading to significant workflow disruption.
Why this vulnerability is alarming
The real danger lies not only in the bug itself, but in 7-Zip’s widespread use. With over 1.3 million monthly visits to its official website and millions of downloads, 7-Zip is used across personal and corporate environments alike.
Worse still, according to recent threat intelligence reports, archive files are now the top malware delivery method, used in 39% of cyberattacks. Attackers exploit archive-related vulnerabilities to bypass protections and deliver malicious payloads.
How to stay protected
If you or your organization handle untrusted archive files, take these precautions:
- Update 7-Zip immediately to version 25.00 or later
- Deploy automated file validation before any archive is opened
- Restrict access to unknown RAR5 files
- Use sandboxing and behavioral analysis tools
Questions and answers
- What is CVE-2025-53816?
It’s a memory overflow vulnerability in 7-Zip that enables denial-of-service attacks via RAR5 files. - Which versions are affected?
All versions prior to 25.00. - Can this bug be used to run malicious code?
No, but it can still crash systems and disrupt services. - How does the attack work?
By opening a specially crafted RAR5 archive that exploits memory miscalculations. - What is a heap buffer overflow?
It’s a flaw where data is written beyond the allocated memory, causing crashes or memory corruption. - Who discovered the bug?
Security researcher Jaroslav Lobačevski. - What is a denial-of-service attack?
It’s an attack that makes a system or application unusable. - Which systems are at highest risk?
Those that automatically process archive files or don’t validate file input properly. - Why are archive files used in malware attacks?
Because they are often trusted and compressed, making them ideal for sneaking past security filters. - How can I check if I’m vulnerable?
Open 7-Zip and check that the version is 25.00 or higher.
