CVE-2026-55206

Source
https://cve.org/CVERecord?id=CVE-2026-55206
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55206.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-55206
Aliases
Downstream
Related
Published
2026-07-08T20:32:09.905Z
Modified
2026-07-13T16:43:06.899048591Z
Severity
  • 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N CVSS Calculator
Summary
py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()
Details

py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3.

Database specific
{
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-407"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55206.json"
}
References

Affected packages

Git / github.com/miurahr/py7zr

Affected ranges

Type
GIT
Repo
https://github.com/miurahr/py7zr
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.1.3"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

v0.*
v0.0.1
v0.0.2
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.1.0
v0.1.1
v0.1.2
v0.1.3
v0.1.4
v0.1.5
v0.1.6
v0.10.0a1
v0.10.1
v0.11.0
v0.11.1
v0.11.2
v0.11.3
v0.12.0
v0.13.0
v0.14.0
v0.14.1
v0.15.0
v0.15.1
v0.15.2
v0.16.0
v0.16.1
v0.16.2
v0.16.3
v0.16.4
v0.17.0
v0.17.1
v0.17.2
v0.17.3
v0.17.4
v0.18.0
v0.18.1
v0.18.3
v0.18.4
v0.18.5
v0.18.6
v0.18.7
v0.18.9
v0.2.0
v0.20.0
v0.20.1
v0.20.2
v0.20.4
v0.20.5
v0.20.6
v0.20.7
v0.20.8
v0.21.0
v0.21.1
v0.22.0
v0.3
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.4a1
v0.4a2
v0.4b1
v0.5a1
v0.5a2
v0.5a3
v0.5a4
v0.5b1
v0.5b2
v0.5b3
v0.5b4
v0.5b5
v0.5b6
v0.6
v0.6a1
v0.6a2
v0.6b1
v0.6b2
v0.6b3
v0.6b4
v0.6b5
v0.6b6
v0.6b7
v0.6b8
v0.6rc
v0.7.0
v0.7.0b1
v0.7.0b2
v0.7.0b3
v0.7.1
v0.7.2
v0.7.3
v0.8.0
v0.8.0a1
v0.8.0a2
v0.8.0a3
v0.8.0b1
v0.8.0b2
v0.8.0b3
v0.8.0b4
v0.8.0b5
v0.8.0b6
v0.8.0b7
v0.8.0b8
v0.9.0
v0.9.0a1
v0.9.0a2
v0.9.0b1
v0.9.0b2
v0.9.0b3
v0.9.1
v0.9.2
v1.*
v1.0.0-rc1
v1.0.0rc2
v1.0.0rc3
v1.1.0
v1.1.0rc2
v1.1.0rc3
v1.1.0rc4
v1.1.2

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55206.json"