
PEACH
Un cadre d’isolation des locataires
CVE-2026-55206 is an O(n²) algorithmic complexity denial-of-service vulnerability in the PackInfo._read() method of the py7zr Python library. A crafted .7z archive with a large attacker-controlled numstreams value in the archive header causes excessive CPU consumption during SevenZipFile.__init__() — no file extraction is required to trigger the issue. The vulnerability affects py7zr versions ≤ 1.1.2, with version 1.1.3 containing the fix. It carries a CVSS v4.0 base score of 6.9 (Medium) (GitHub Advisory, py7zr Advisory). The advisory was published on June 19, 2026.
The root cause is CWE-407 (Inefficient Algorithmic Complexity) in PackInfo._read() within archiveinfo.py. The vulnerable line self.packpositions = [sum(self.packsizes[:i]) for i in range(self.numstreams + 1)] re-sums the packsizes list from the beginning for each iteration, producing O(n²) total work where n is numstreams. Because numstreams is parsed directly from the archive header via read_uint64() without bounds enforcement, an attacker can supply an arbitrarily large value. This computation executes during header parsing in SevenZipFile.__init__(), meaning a 50 KB crafted archive can consume approximately 7 seconds of CPU time without any extraction step. The suggested fix replaces the pattern with an O(n) cumulative sum using Python's itertools.accumulate (GitHub Advisory, py7zr Advisory).
Successful exploitation causes excessive CPU consumption on any system that opens a crafted .7z archive using py7zr, resulting in a denial-of-service condition. Because the vulnerability triggers during header parsing — before any extraction — applications that merely inspect or validate .7z archives are equally at risk. There is no impact on confidentiality or integrity; the sole impact is on availability of the affected system or service (GitHub Advisory).
.7z archive with a very large numstreams value encoded in the archive header using py7zr's write_uint64() and PROPERTY constants. The archive body can be minimal (e.g., ~50 KB)..7z file to a target application or service that uses py7zr to open or inspect .7z archives — for example, an upload endpoint, a file processing pipeline, or an automated archive validator.SevenZipFile.__init__() on the crafted archive, PackInfo._read() begins computing cumulative pack positions using the O(n²) loop, consuming CPU proportional to numstreams²..7z files (e.g., ~50 KB) with anomalously large numstreams values in archive headers submitted to file processing services..7z file parsing, without corresponding disk I/O activity indicative of extraction.SevenZipFile initialization hanging or timing out on specific .7z files; repeated processing failures on the same archive file.Upgrade py7zr to version 1.1.3 or later, which enforces a limit on the numstreams parameter and replaces the O(n²) algorithm with an O(n) cumulative sum using itertools.accumulate. No configuration-based workaround is available for the vulnerable versions; upgrading is the only effective remediation. Note that version 1.1.3 also addresses two other vulnerabilities: CVE-2026-23879 (arbitrary file write) and CVE-2026-55195 (decompression bomb DoS) (py7zr Release, GitHub Advisory).
The vulnerability was disclosed via coordinated private disclosure before public announcement, as noted in the advisory. openSUSE issued security update announcements covering this CVE, and Tenable's Nessus plugin 324069 was published to detect affected installations (openSUSE Announce, Tenable). No significant broader media coverage or notable researcher commentary beyond the advisory itself has been observed.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."