CVE-2026-55206
Python Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-55206 is an O(n²) algorithmic complexity denial-of-service vulnerability in the PackInfo._read() method of the py7zr Python library. A crafted .7z archive with a large attacker-controlled numstreams value in the archive header causes excessive CPU consumption during SevenZipFile.__init__() — no file extraction is required to trigger the issue. The vulnerability affects py7zr versions ≤ 1.1.2, with version 1.1.3 containing the fix. It carries a CVSS v4.0 base score of 6.9 (Medium) (GitHub Advisory, py7zr Advisory). The advisory was published on June 19, 2026.

Détails techniques

The root cause is CWE-407 (Inefficient Algorithmic Complexity) in PackInfo._read() within archiveinfo.py. The vulnerable line self.packpositions = [sum(self.packsizes[:i]) for i in range(self.numstreams + 1)] re-sums the packsizes list from the beginning for each iteration, producing O(n²) total work where n is numstreams. Because numstreams is parsed directly from the archive header via read_uint64() without bounds enforcement, an attacker can supply an arbitrarily large value. This computation executes during header parsing in SevenZipFile.__init__(), meaning a 50 KB crafted archive can consume approximately 7 seconds of CPU time without any extraction step. The suggested fix replaces the pattern with an O(n) cumulative sum using Python's itertools.accumulate (GitHub Advisory, py7zr Advisory).

Impact

Successful exploitation causes excessive CPU consumption on any system that opens a crafted .7z archive using py7zr, resulting in a denial-of-service condition. Because the vulnerability triggers during header parsing — before any extraction — applications that merely inspect or validate .7z archives are equally at risk. There is no impact on confidentiality or integrity; the sole impact is on availability of the affected system or service (GitHub Advisory).

Étapes d’exploitation

  1. Craft malicious archive: Use the published PoC to construct a .7z archive with a very large numstreams value encoded in the archive header using py7zr's write_uint64() and PROPERTY constants. The archive body can be minimal (e.g., ~50 KB).
  2. Deliver the archive: Supply the crafted .7z file to a target application or service that uses py7zr to open or inspect .7z archives — for example, an upload endpoint, a file processing pipeline, or an automated archive validator.
  3. Trigger parsing: When the target application calls SevenZipFile.__init__() on the crafted archive, PackInfo._read() begins computing cumulative pack positions using the O(n²) loop, consuming CPU proportional to numstreams².
  4. Achieve DoS: The excessive CPU consumption stalls or crashes the processing thread/process, causing denial of service for the affected application without any extraction being performed (py7zr Advisory).

Indicateurs de compromis

  • File System: Presence of unusually small .7z files (e.g., ~50 KB) with anomalously large numstreams values in archive headers submitted to file processing services.
  • Process: Python processes consuming sustained high CPU (near 100%) while handling .7z file parsing, without corresponding disk I/O activity indicative of extraction.
  • Logs: Application logs showing SevenZipFile initialization hanging or timing out on specific .7z files; repeated processing failures on the same archive file.

Atténuation et solutions de contournement

Upgrade py7zr to version 1.1.3 or later, which enforces a limit on the numstreams parameter and replaces the O(n²) algorithm with an O(n) cumulative sum using itertools.accumulate. No configuration-based workaround is available for the vulnerable versions; upgrading is the only effective remediation. Note that version 1.1.3 also addresses two other vulnerabilities: CVE-2026-23879 (arbitrary file write) and CVE-2026-55195 (decompression bomb DoS) (py7zr Release, GitHub Advisory).

Réactions de la communauté

The vulnerability was disclosed via coordinated private disclosure before public announcement, as noted in the advisory. openSUSE issued security update announcements covering this CVE, and Tenable's Nessus plugin 324069 was published to detect affected installations (openSUSE Announce, Tenable). No significant broader media coverage or notable researcher commentary beyond the advisory itself has been observed.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Python Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-54527CRITICAL9.3
  • JavaScript logoJavaScript
  • jupyterlab-git
NonOuiJul 08, 2026
CVE-2026-55206HIGH8.7
  • Python logoPython
  • py7zr
NonOuiJul 08, 2026
CVE-2026-55195HIGH8.7
  • Python logoPython
  • py7zr
NonOuiJul 08, 2026
CVE-2026-54499HIGH7.5
  • Python logoPython
  • stanza
NonOuiJul 08, 2026
CVE-2026-54528HIGH7.1
  • Python logoPython
  • jupyterlab-git
NonOuiJul 08, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités