CVE-2026-55195 in py7zrinfo

Summary

by MITRE • 07/09/2026

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expands to 100 MB to exhaust disk or memory before extraction completes. This issue is fixed in version 1.1.3.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 07/09/2026

The py7zr library presents a significant security vulnerability related to improper resource management during archive decompression operations. This flaw affects versions prior to 1.1.3 and stems from the Worker.decompress() method's failure to monitor and control the total amount of data being extracted from compressed archives. The vulnerability creates a scenario where maliciously crafted archive files can trigger excessive resource consumption, potentially leading to system instability or denial of service conditions.

The technical implementation flaw resides in the decompression logic where the library does not maintain proper tracking of decompressed data sizes during extraction processes. This absence of size monitoring allows an attacker to construct archives that appear small in size but expand to significantly larger amounts of data during decompression. The vulnerability specifically affects the Worker.decompress() function which handles the core extraction operations, making it a critical point of failure in the library's security posture.

Operationally, this vulnerability enables attackers to perform resource exhaustion attacks by submitting carefully crafted .7z files that appear legitimate but contain compressed data that expands beyond expected limits. A seemingly innocuous 15.6 KB archive could potentially expand to 100 MB of decompressed content, consuming excessive disk space or memory resources during the extraction process. This behavior can lead to system crashes, application hangs, or complete denial of service conditions, particularly in environments where storage or memory resources are constrained.

The impact of this vulnerability aligns with several cybersecurity frameworks and attack patterns. From a CWE perspective, this represents a weakness categorized under CWE-400: Uncontrolled Resource Consumption, which covers issues where software fails to properly manage resource allocation. The vulnerability also maps to ATT&CK technique T1499.001: Endpoint Denial of Service, as it enables adversaries to consume system resources and render systems unavailable to legitimate users. Additionally, this issue demonstrates characteristics of CWE-770: Allocation of Resources Without Limits or Throttling, where resource consumption is not properly bounded.

The fix implemented in version 1.1.3 addresses this vulnerability by introducing proper tracking mechanisms within the decompression process. This update ensures that the Worker.decompress() method monitors and limits the total amount of data being extracted from archives, preventing excessive resource consumption. Organizations should immediately upgrade to py7zr version 1.1.3 or later to mitigate this risk. System administrators should also implement monitoring solutions to detect unusual resource consumption patterns during archive processing operations.

Security practitioners should consider implementing additional safeguards such as pre-processing checks for suspicious archive characteristics, setting resource quotas for decompression processes, and establishing automated alerts when extraction operations exceed normal parameters. The vulnerability serves as a reminder of the importance of proper resource management in compression libraries and highlights the need for thorough input validation and size monitoring in file processing applications. Organizations using py7zr in production environments should conduct comprehensive security assessments to ensure all instances have been properly updated and that appropriate monitoring measures are in place to detect potential exploitation attempts.

Responsible

GitHub M

Reservation

06/16/2026

Disclosure

07/09/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!