PatchSiren cyber security CVE debrief
CVE-2026-55206 miurahr CVE debrief
The CVE-2026-55206 vulnerability affects the py7zr library and utility used for 7zip archive compression, decompression, encryption, and decryption. The vulnerability is classified as HIGH severity and was published on 2026-07-08T21:16:49.987Z. The issue arises from an O(n^2) cumulative sum pattern in PackInfo._read() of archiveinfo.py, which allows crafted .7z archives to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3 of py7zr. Users of py7zr should update to this version or later to prevent excessive CPU consumption.
- Vendor
- miurahr
- Product
- py7zr
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-08
- Original CVE updated
- 2026-07-10
- Advisory published
- 2026-07-08
- Advisory updated
- 2026-07-10
Who should care
Users of py7zr library and utility for 7zip archive compression, decompression, encryption and decryption should update to version 1.1.3 or later to prevent excessive CPU consumption during SevenZipFile.init() before extraction. This is particularly important for environments where .7z archives are frequently processed or where high CPU consumption could have significant operational impacts.
Technical summary
Prior to version 1.1.3, the PackInfo._read() function in archiveinfo.py of the py7zr library used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers. This allows a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. The vulnerability is fixed in version 1.1.3. The issue has a HIGH severity CVSS score of 8.7.
Defensive priority
High priority should be given to updating py7zr to version 1.1.3 or later due to the HIGH severity of this vulnerability. Additionally, monitoring and compensating controls should be implemented to mitigate potential impacts.
Recommended defensive actions
- Update py7zr to version 1.1.3 or later
- Inventory and patch vulnerable py7zr installations
- Monitor for suspicious .7z archive activity
- Implement compensating controls for excessive CPU consumption
- Review and verify the integrity of .7z archives before processing
- Conduct regular security audits to identify and address potential vulnerabilities in py7zr
- Consider implementing additional monitoring and logging to detect potential exploitation attempts
Evidence notes
Evidence is based on official CVE and NVD records, as well as security advisories from GitHub. The CVE record was published on 2026-07-08T21:16:49.987Z and has not been modified since then. The vulnerability affects py7zr library and utility for 7zip archive compression, decompression, encryption and decryption. The issue is fixed in version 1.1.3. No additional information is available on the vulnerability's scope or potential impact beyond the provided CVE and NVD details.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:49.987Z and has not been modified since then.