CVE-2026-55206 in py7zr
Summary
by MITRE • 07/09/2026
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/09/2026
The py7zr library presents a significant performance degradation vulnerability through its handling of archive header parsing operations. The flaw exists in the PackInfo._read() method within archiveinfo.py where the implementation employs an inefficient O(n^2) cumulative sum algorithm that processes attacker-controlled numstreams values extracted from archive headers. This design pattern becomes particularly problematic when processing maliciously crafted .7z archive files since the cumulative sum calculation grows quadratically with the number of streams, leading to substantial computational overhead during the SevenZipFile.init() phase before any actual extraction can occur.
The vulnerability stems from inadequate input validation and inefficient algorithmic design in the library's archive parsing logic. When a malicious archive contains an inflated numstreams value, the PackInfo._read() function processes each stream sequentially while maintaining cumulative sums, creating a computationally expensive operation that scales exponentially with the number of streams. This behavior represents a classic example of inefficient resource consumption that can be exploited to cause denial of service conditions. The vulnerability specifically impacts the initialization phase of archive processing where the library parses header information before any actual decompression activities begin.
During exploitation, an attacker can craft a .7z archive file containing manipulated header values that force the py7zr library to perform excessive CPU cycles during the initial parsing stage. The computational overhead occurs before any decryption or data extraction operations commence, making this attack particularly effective as a resource exhaustion mechanism. The vulnerability affects all versions prior to 1.1.3 and demonstrates poor adherence to secure coding practices regarding algorithmic efficiency and input validation. This type of issue aligns with CWE-502 which covers deserialization of untrusted data, and specifically relates to inefficient algorithms that can be exploited for resource exhaustion attacks.
The operational impact of this vulnerability extends beyond simple performance degradation to potentially enabling denial of service scenarios against systems processing archive files through py7zr. Systems that automatically process or validate .7z archives without proper input sanitization become vulnerable to CPU-intensive attacks that can consume significant computational resources and potentially cause system instability. This vulnerability also presents risks in environments where automated processing pipelines exist, as malicious archives could be used to overwhelm processing capabilities and degrade overall service availability.
Mitigation strategies should focus on implementing proper bounds checking for numstreams values during header parsing operations and updating to py7zr version 1.1.3 or later which contains the necessary fixes. Organizations should also consider implementing rate limiting and resource monitoring for archive processing systems, as well as validating input archives through multiple layers of security checks before processing. The fix implemented in version 1.1.3 likely involves replacing the inefficient cumulative sum algorithm with a more optimal approach that reduces computational complexity to O(n) or better, addressing both the performance issue and the potential for exploitation through resource exhaustion attacks. This vulnerability highlights the importance of secure coding practices and algorithmic efficiency in security-critical components such as archive processing libraries.