PatchSiren cyber security CVE debrief

CVE-2014-9913 Unzip Project CVE debrief

CVE-2014-9913 describes a buffer overflow in the list_files function in UnZip 6.0’s list.c. The documented impact is denial of service via a crash while handling archive content related to the compression method. NVD classifies the issue with low attack complexity and no confidentiality or integrity impact, but availability impact is present.

Vendor: Unzip Project
Product: CVE-2014-9913
CVSS: MEDIUM 4
CISA KEV: Not listed in stored evidence
Original CVE published: 2017-01-18
Original CVE updated: 2026-05-13
Advisory published: 2017-01-18
Advisory updated: 2026-05-13

Who should care

Teams that use Info-ZIP UnZip 6.0 to process untrusted archives, especially systems that automatically inspect, list, or unpack user-supplied files. Administrators should also care where crashes in archive-handling tools could interrupt workflows or batch processing.

Technical summary

NVD maps the vulnerable product to cpe:2.3:a:unzip_project:unzip:6.0 and assigns CVSS 3.0 vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L. The weakness is listed as CWE-119. The prose description says the bug is in list_files in list.c and can be triggered through vectors related to the compression method, resulting in a crash rather than a data exposure or code execution outcome in the supplied record.

Defensive priority

Medium. The issue is availability-focused and rated CVSS 4, but archive parsers are often exposed to untrusted input in automation, mail gateways, and user-facing file handling paths.

Recommended defensive actions

Identify where Info-ZIP UnZip 6.0 is deployed and whether it processes untrusted archives.
Prefer a patched or vendor-recommended replacement if available, or restrict use of the affected version.
Limit archive processing to trusted sources and isolate any systems that must inspect external archives.
Monitor for crashes in archive listing or unpacking workflows and treat repeated failures as security-relevant.
Use the supplied CVE and NVD records to confirm remediation status in your environment before relying on the tool.

Evidence notes

The core facts come from the NVD record: affected version cpe:2.3:a:unzip_project:unzip:6.0, CVSS vector CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L, and CWE-119. The NVD description states a buffer overflow in list_files in list.c can let remote attackers cause a denial of service via compression-method-related vectors. Related references include Openwall oss-security threads, a SecurityFocus BID entry, and an Ubuntu Launchpad issue tracker item. No exploit details are included here.

Official resources

CVE-2014-9913 CVE record
CVE.org
CVE-2014-9913 NVD detail
NVD
Source item URL
nvd_modified
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Mailing List, Third Party Advisory
Mitigation or vendor reference
[email protected] - Third Party Advisory, VDB Entry
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory

CVE publishedAt is 2017-01-18T17:59:00.217Z and modifiedAt is 2026-05-13T00:24:29.033Z. Use the published date for issue timing context; the later modified date reflects record updates, not original disclosure.