CVE-2022-29072
Published: 15 April 2022
Summary
CVE-2022-29072 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in 7-Zip 7-Zip. Its CVSS base score is 7.8 (High).
Operationally, ranked in the top 4.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
Deeper analysis
7-Zip through version 21.07 on Windows is affected by a local vulnerability that permits command execution when a specially crafted .7z file is dragged onto the Help>Contents menu area inside 7zFM.exe. The root cause is a combination of 7z.dll misconfiguration and a heap overflow (CWE-787), which results in the attacker-supplied command being launched as a child process under the 7-Zip File Manager.
An attacker with the ability to place a malicious archive on a system and convince a user to interact with it via drag-and-drop can achieve arbitrary command execution. The CVSS 7.8 vector reflects local access, low attack complexity, and no privileges required beyond the ability to run 7-Zip, with high impact on confidentiality, integrity, and availability; however, multiple third-party reports indicate that privilege escalation beyond the current user context does not actually occur.
Public proof-of-concept material, including exploit code and demonstration videos, has been available since disclosure. The associated EPSS score has remained in a moderate band (current 0.1889, peak 0.2245) without a pronounced post-disclosure climb, suggesting limited in-the-wild exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2022-33485
Vulnerability details
7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a…
more
child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Out-of-bounds writes that corrupt control flow or inject shellcode are rendered non-executable by the same memory protections.