7-Zip Vulnerability CVE-2022-29072: Exploit Details and Temporary Mitigation

7‑Zip is an open‑source compression tool primarily for Microsoft Windows, and a Linux version was released in March of last year.

Researcher Kağan Çapar recently discovered a vulnerability in 7‑Zip (CVE‑2022‑29072) that may allow attackers to gain higher privileges and execute arbitrary commands; the flaw affects all versions, including the latest 21.07.

The exploit is simple: dragging a file with the .7z extension onto the 7‑Zip window's Help → Content area triggers the issue (see GIF).

The vulnerability stems from a misconfiguration and stack overflow in 7z.dll; after installation, files in the Help → Content area are processed by Windows HTML Helper, and command injection creates a child process under 7zFM.exe, which interacts with 7z.dll memory, causing the spawned cmd.exe to run with administrator rights.

The developers have not yet released a patch, and the last update was in December 2021.

Temporary solution: delete the vulnerable 7-zip.chm file located in the installation folder (e.g., C:\Programs\). 7-zip.chm is a help file; removing it does not affect core functionality, but the Help → Content menu or F1 will no longer open the help.

To delete the file, open the program’s folder (commonly C:\Programs\), locate the 7-zip.chm file, and delete it, or revoke write permissions for the 7‑Zip program.