CVE-2025-53817: 
7-Zip vulnerability analysis and mitigation

7-Zip, a file archiver with high compression ratio supporting Compound Documents extraction, was found to contain a null pointer dereference vulnerability in the Compound handler (CVE-2025-53817). The vulnerability was discovered on April 24, 2025, and affects versions prior to 25.0.0. This security flaw was identified by Jaroslav Lobačevski from the GitHub Security Lab team (GitHub Advisory).

The vulnerability stems from a null pointer dereference in the NArchive::NCom::CHandler::GetStream function. When item.Size reaches a specific large value, an overflow occurs during the calculation of (item.Size + clusterSize - 1) >> bsLog, causing numClusters64 to become zero. The check if (numClusters64 >= ((UInt32)1 << 31)) fails to prevent unsigned integer overflow. Consequently, the vector's ClearAndReserve function doesn't allocate memory, leaving the internal vector pointer null, which leads to a null pointer write attempt. The vulnerability has been assigned a CVSS v4.0 score of 5.5 (Medium) with the vector string CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P (NVD).

The vulnerability can lead to a denial of service condition when exploited. When triggered, the application crashes due to the null pointer dereference, particularly affecting both Windows and Linux systems. On Windows, the official 7-Zip build crashes even without Address Sanitizer (ASAN), while on Linux systems compiled with ASAN, it results in a segmentation fault (GitHub Advisory).

The vulnerability has been fixed in 7-Zip version 25.0.0, released on July 5, 2025. Users are advised to upgrade to this version or later to mitigate the security risk (GitHub Advisory).