<Vulnerability name="CVE-2026-55206">
    <DocumentDistribution xml:lang="en">Copyright © 2012 Red Hat, Inc. All rights reserved.</DocumentDistribution>
    <ThreatSeverity>Moderate</ThreatSeverity>
    <PublicDate>2026-07-08T20:32:09</PublicDate>
    <Bugzilla id="2498253" url="https://bugzilla.redhat.com/show_bug.cgi?id=2498253" xml:lang="en:us">
py7zr: py7zr: Denial of Service via crafted .7z archives due to inefficient algorithmic complexity
    </Bugzilla>
    <CVSS3 status="draft">
        <CVSS3BaseScore>6.5</CVSS3BaseScore>
        <CVSS3ScoringVector>CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H</CVSS3ScoringVector>
    </CVSS3>
    <CWE>CWE-606</CWE>
    <Details xml:lang="en:us" source="Mitre">
py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3.
    </Details>
    <Details xml:lang="en:us" source="Red Hat">
A flaw was found in py7zr, a Python library for 7zip archives. A remote attacker could exploit this vulnerability by providing a specially crafted .7z archive. This archive, when processed by the `SevenZipFile.init()` function, triggers an inefficient algorithmic complexity (CWE-407) during header parsing. This leads to excessive CPU consumption, resulting in a Denial of Service (DoS) for any application that opens untrusted .7z archives using py7zr.
    </Details>
    <Statement xml:lang="en:us">
This Moderate severity flaw in the `py7zr` library can lead to a Denial of Service. Applications that utilize `py7zr` to open or process untrusted `.7z` archives are vulnerable to excessive CPU consumption. This occurs due to an inefficient algorithm when parsing specially crafted archive headers, allowing a remote attacker to trigger the resource exhaustion without requiring file extraction.
    </Statement>
    <Mitigation xml:lang="en:us">
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
    </Mitigation>
    <References xml:lang="en:us">
https://www.cve.org/CVERecord?id=CVE-2026-55206
https://nvd.nist.gov/vuln/detail/CVE-2026-55206
https://github.com/miurahr/py7zr/commit/d7aa3a197d15c75a65b24f796d3a69f83806d3f8
https://github.com/miurahr/py7zr/releases/tag/v1.1.3
https://github.com/miurahr/py7zr/security/advisories/GHSA-h4gh-22qq-72r7
    </References>
</Vulnerability>