PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55206 miurahr CVE debrief

The CVE-2026-55206 vulnerability affects the py7zr library and utility used for 7zip archive compression, decompression, encryption, and decryption. The vulnerability is classified as HIGH severity and was published on 2026-07-08T21:16:49.987Z. The issue arises from an O(n^2) cumulative sum pattern in PackInfo._read() of archiveinfo.py, which allows crafted .7z archives to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3 of py7zr. Users of py7zr should update to this version or later to prevent excessive CPU consumption.

Vendor
miurahr
Product
py7zr
CVSS
HIGH 8.7
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-08
Original CVE updated
2026-07-10
Advisory published
2026-07-08
Advisory updated
2026-07-10

Who should care

Users of py7zr library and utility for 7zip archive compression, decompression, encryption and decryption should update to version 1.1.3 or later to prevent excessive CPU consumption during SevenZipFile.init() before extraction. This is particularly important for environments where .7z archives are frequently processed or where high CPU consumption could have significant operational impacts.

Technical summary

Prior to version 1.1.3, the PackInfo._read() function in archiveinfo.py of the py7zr library used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers. This allows a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. The vulnerability is fixed in version 1.1.3. The issue has a HIGH severity CVSS score of 8.7.

Defensive priority

High priority should be given to updating py7zr to version 1.1.3 or later due to the HIGH severity of this vulnerability. Additionally, monitoring and compensating controls should be implemented to mitigate potential impacts.

Recommended defensive actions

  • Update py7zr to version 1.1.3 or later
  • Inventory and patch vulnerable py7zr installations
  • Monitor for suspicious .7z archive activity
  • Implement compensating controls for excessive CPU consumption
  • Review and verify the integrity of .7z archives before processing
  • Conduct regular security audits to identify and address potential vulnerabilities in py7zr
  • Consider implementing additional monitoring and logging to detect potential exploitation attempts

Evidence notes

Evidence is based on official CVE and NVD records, as well as security advisories from GitHub. The CVE record was published on 2026-07-08T21:16:49.987Z and has not been modified since then. The vulnerability affects py7zr library and utility for 7zip archive compression, decompression, encryption and decryption. The issue is fixed in version 1.1.3. No additional information is available on the vulnerability's scope or potential impact beyond the provided CVE and NVD details.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-08T21:16:49.987Z and has not been modified since then.