Cyber Resilience

CVE-2022-29072

HighPublic PoC

Published: 15 April 2022

Published
15 April 2022
Modified
09 June 2025
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.1887 95.5th percentile
Risk Priority 27 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2022-29072 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in 7-Zip 7-Zip. Its CVSS base score is 7.8 (High).

Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

Deeper analysis

7-Zip through version 21.07 on Windows is affected by a local vulnerability that permits command execution when a specially crafted .7z file is dragged onto the Help>Contents menu area inside 7zFM.exe. The root cause is a combination of 7z.dll misconfiguration and a heap overflow (CWE-787), which results in the attacker-supplied command being launched as a child process under the 7-Zip File Manager.

An attacker with the ability to place a malicious archive on a system and convince a user to interact with it via drag-and-drop can achieve arbitrary command execution. The CVSS 7.8 vector reflects local access, low attack complexity, and no privileges required beyond the ability to run 7-Zip, with high impact on confidentiality, integrity, and availability; however, multiple third-party reports indicate that privilege escalation beyond the current user context does not actually occur.

Public proof-of-concept material, including exploit code and demonstration videos, has been available since disclosure. The associated EPSS score has remained in a moderate band (current 0.1889, peak 0.2245) without a pronounced post-disclosure climb, suggesting limited in-the-wild exploitation interest to date.

EU & UK References

Vulnerability details

7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a…

more

child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

7-zip
7-zip
≤ 21.07

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-787

Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.

References