Skip to main content

Improper Handling of Length Parameter Inconsistency

CVE-2021-35516

Severity High
Score 7.5/10

Summary

When reading a specially crafted 7Z archive, Compress before 1.21 can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-130 - Improper Handling of Length Parameter Inconsistency

The software parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

Advisory Timeline

  • Published