Summary

CVE: CVE-2024-11612 Component: 7-Zip (CopyCoder / stream processing) Vulnerability Type: Infinite loop → Denial of Service (DoS) Vendor: 7-Zip Product: 7-Zip Impact: Unbounded decompression loop / CPU hang Discoverer / Credit: 2ourc3 (Salim Largo) Disclosure: Reported via Zero Day Initiative (ZDI) Advisory: ZDI-24-1606

Description

During a fuzzing campaign against 7-Zip, an input was discovered that causes the decompression process to run forever. When the crafted archive is opened, 7-Zip remains stuck in a “decompressing” state without terminating, resulting in a denial-of-service condition.

Because 7-Zip is widely deployed and frequently integrated into backend workflows, automated pipelines, and archive-processing systems, this issue can become an operational risk when untrusted archives are handled at scale.

The vulnerability has since been disclosed as:

CVE-2024-11612 — 7-Zip CopyCoder Infinite Loop Denial-of-Service Vulnerability

Root cause

The bug is caused by a logic error in the processing of streams (CopyCoder path), where user-controlled data is improperly validated.

Under specific conditions, the decompression logic fails to progress correctly and ends up executing an infinite loop, keeping the process alive indefinitely and consuming resources.

Proof of Concept

A crashing / hanging sample was generated by AFL++ and reproduces the issue reliably:

id_000076sig_06src_000991000979time_645883execs_109584op_splicerep_7

Opening this archive triggers an infinite decompression loop, producing a sustained DoS condition.

Impact

  • Attack type: Denial of Service (infinite loop)
  • Requirement: Some interaction is required (opening / processing the crafted archive)
  • Real-world risk: Depends on how 7-Zip is embedded (GUI use, backend automation, archive ingestion systems)
  • Outcome: CPU burn / hung job / blocked pipeline / degraded availability

References