Vulnerability Report

CVE-2022-29072

RCE

Title: 7-Zip RCE

RCE

Proof Of Concept

PoC Available for CVE-2022-29072

CWE Category CWE-787
Published Date Apr 15, 2022
Modified Date Jun 09, 2025
Exploit Status Available
Score 7.8 CVSS v3.1
Exploit Probability (EPSS)
1.52%

Vulnerability Summary

CVE-2022-29072: 7-Zip through 21.07 on Windows allows privilege escalation and command execution when a file with the .7z extension is dragged to the Help>Contents area. This is caused by misconfiguration of 7z.dll and a heap overflow. The command runs in a child process under the 7zFM.exe process. NOTE: multiple third parties have reported that no privilege escalation can occur

Impacted Vendors

I
igor_pavlov 1
7
7-zip 1

Reference Links

http://packetstormsecurity.com/files/166763/7-Zip-21.07-Code-Execution-Privilege-Escalation.html https://github.com/kagancapar/CVE-2022-29072 https://news.ycombinator.com/item?id=31070256 https://sourceforge.net/p/sevenzip/bugs/2337/ https://www.youtube.com/watch?v=sT1cvbu7ZTA http://packetstormsecurity.com/files/166763/7-Zip-21.07-Code-Execution-Privilege-Escalation.html https://github.com/kagancapar/CVE-2022-29072 https://news.ycombinator.com/item?id=31070256 https://sourceforge.net/p/sevenzip/bugs/2337/ https://www.youtube.com/watch?v=sT1cvbu7ZTA
CVSS v3.1
Source Entity [email protected]
Severity HIGH
7.8
Attack Vector
LOCAL
Complexity
LOW
Privileges
N/A
Interaction
NONE
Confidentiality
N/A
Integrity
N/A
Availability
N/A
Scope
UNCHANGED
RAW VECTOR CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS v2.0
Source Entity [email protected]
Severity HIGH
7.2
Access Vector
N/A
Authentication
N/A
RAW VECTOR AV:L/AC:L/Au:N/C:C/I:C/A:C

Associated Attack Patterns (CAPEC)

Total: Patterns

CVE-2022-29072 Exploits & PoCs (Proof Of Concept)

GitHub https://github.com/kagancapar/CVE-2022-29072
View Code
GitHub https://github.com/sentinelblue/CVE-2022-29072
View Code
GitHub https://github.com/tiktb8/CVE-2022-29072
View Code
MODIFIED

Vulnerability data or affected products updated.

PUBLISHED

Vulnerability first announced in NVD.

Attack Vector Matrix

Access Vector LOCAL
Complexity LOW
Privileges N/A
Interaction NONE
CVSS Vector String CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Affected Stack

No specific products linked.