CVE-2024-11477: 
7-Zip vulnerability analysis and mitigation

A critical vulnerability (CVE-2024-11477) was discovered in 7-Zip, a popular file archiving software. The vulnerability, identified by Nicholas Zubrisky of Trend Micro Security Research, was reported to 7-Zip in June 2024 and publicly disclosed on November 20th, 2024. This flaw affects all versions of 7-Zip prior to version 24.07 and has received a high CVSS score of 7.8 (ZDI Advisory, CERT-EU).

The vulnerability exists within the implementation of Zstandard decompression in 7-Zip. The specific flaw stems from inadequate validation of user-supplied data during the decompression process, which can result in an integer underflow before writing to memory. The vulnerability has been assigned a CVSS score of 7.8 (HIGH) with the vector string CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H, indicating its severe nature (ZDI Advisory, NVD).

This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. While user interaction is required to exploit this vulnerability, the attack vectors may vary depending on 7-Zip's implementation within a system. Successful exploitation could lead to complete system compromise, including data theft and unauthorized code execution in the context of the current process (Trustwave, ZDI Advisory).

Users and organizations are strongly advised to update to 7-Zip version 24.07 or later immediately, as this version contains the fix for the vulnerability. Additionally, users should exercise caution when opening archive files, particularly those from untrusted sources (CERT-EU, Trustwave).