CVE-2026-55195

Source
https://cve.org/CVERecord?id=CVE-2026-55195
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55195.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55195
Aliases
Downstream
Related
Published
2026-07-08T20:30:58.654Z
Modified
2026-07-15T01:49:01.431612594Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
py7zr: Decompression bomb (zip bomb) denial of service via unchecked extraction size
Details

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, py7zr's Worker.decompress() extracted archive entries without tracking total decompressed size, allowing a crafted .7z file such as a 15.6 KB archive that expands to 100 MB to exhaust disk or memory before extraction completes. This issue is fixed in version 1.1.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-409"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55195.json"
}
References

Affected packages

Git / github.com/miurahr/py7zr

Affected ranges

Type
GIT
Repo
https://github.com/miurahr/py7zr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ],
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.3"
        }
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.10.0a1
v0.10.1
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.18.9
v0.2.0
v0.20.0
v0.20.1
v0.20.2
v0.20.4
v0.20.5
v0.20.6
v0.20.7
v0.20.8
v0.21.0
v0.21.1
v0.22.0
v0.3
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4a1
v0.4a2
v0.4b1
v0.5a1
v0.5a2
v0.5a3
v0.5a4
v0.5b1
v0.5b2
v0.5b3
v0.5b4
v0.5b5
v0.5b6
v0.6
v0.6a1
v0.6a2
v0.6b1
v0.6b2
v0.6b3
v0.6b4
v0.6b5
v0.6b6
v0.6b7
v0.6b8
v0.6rc
v0.7.0
v0.7.0b1
v0.7.0b2
v0.7.0b3
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.0a1
v0.8.0a2
v0.8.0a3
v0.8.0b1
v0.8.0b2
v0.8.0b3
v0.8.0b4
v0.8.0b5
v0.8.0b6
v0.8.0b7
v0.8.0b8
v0.9.0
v0.9.0a1
v0.9.0a2
v0.9.0b1
v0.9.0b2
v0.9.0b3
v0.9.1
v0.9.2
v1.*
v1.0.0-rc1
v1.0.0rc2
v1.0.0rc3
v1.1.0
v1.1.0rc2
v1.1.0rc3
v1.1.0rc4
v1.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55195.json"