CVE-2023-52169

Publication date 3 July 2024

Last updated 15 April 2025

Ubuntu priority

The NtfsHandler.cpp NTFS handler in 7-Zip before 24.01 (for 7zz) contains an out-of-bounds read that allows an attacker to read beyond the intended buffer. The bytes read beyond the intended buffer are presented as a part of a filename listed in the file system image. This has security relevance in some known web-service use cases where untrusted users can upload files and have them extracted by a server-side 7-Zip process.

Read the notes from the security team

Status

Show unmaintained releases

Package	Ubuntu Release	Status
7zip	25.04 plucky	Not affected
	24.10 oracular	Not affected
	24.04 LTS noble	Fixed 23.01+dfsg-11ubuntu0.1~esm1 Ubuntu Pro
	23.10 mantic	Ignored end of life, was needs-triage
	22.04 LTS jammy	Fixed 21.07+dfsg-4ubuntu0.1~esm1 Ubuntu Pro
	20.04 LTS focal	Not in release

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro

Notes

john-breton

Sourceforge is private for the 7-Zip project, but the linked disclosure blog includes the patched code.

Patch details

For informational purposes only. We recommend not to cherry-pick updates. How can I get the fixes?

Package	Patch details
7zip	Third-party: https://dfir.ru/2024/06/19/vulnerabilities-in-7-zip-and-ntfs3/

References

Related Ubuntu Security Notices (USN)

USN-7438-1
7-Zip vulnerabilities
15 April 2025