CVE-2022-29072 Overview
CVE-2022-29072 affects 7-Zip through version 21.07 on Windows. The vulnerability allows command execution and potential privilege escalation when a file with the .7z extension is dragged to the Help > Contents area of the 7-Zip File Manager. The flaw stems from a misconfiguration of 7z.dll combined with a heap overflow condition. The injected command runs in a child process spawned under 7zFM.exe. Multiple third parties have reported that privilege escalation cannot actually occur, but the command execution component remains valid. The issue is categorized under [CWE-787] Out-of-Bounds Write.
Critical Impact
Local attackers can trigger command execution under the 7-Zip File Manager process by abusing the Help interface, with an EPSS exploit prediction of 18.07% (95th percentile).
Affected Products
- 7-Zip through version 21.07
- Microsoft Windows (all supported versions running vulnerable 7-Zip builds)
- The 7z.dll and 7zFM.exe components specifically
Discovery Timeline
- 2022-04-15 - CVE-2022-29072 published to the National Vulnerability Database
- 2025-06-09 - Last updated in NVD database
Technical Details for CVE-2022-29072
Vulnerability Analysis
The vulnerability resides in how the 7-Zip File Manager (7zFM.exe) handles drag-and-drop events targeting the Help > Contents interface. When a .7z file is dragged into this region, the application invokes the Windows Help subsystem with attacker-influenced input. A heap overflow condition combined with the misconfigured loading of 7z.dll allows the file path to be interpreted in a way that spawns a child process. The resulting process inherits the security context of 7zFM.exe, enabling arbitrary command execution on the local system.
Root Cause
The root cause is an out-of-bounds write [CWE-787] triggered by improper validation of input passed to the Help subsystem. 7-Zip relies on the Windows HH.exe (HTML Help) executable for rendering help content. The misconfiguration of 7z.dll permits crafted file names to influence how the help handler resolves and launches child processes. The heap overflow corrupts adjacent memory used to construct the command line forwarded to the child process.
Attack Vector
Exploitation requires local access and user interaction limited to the attacker themselves, who must already be logged on with valid credentials. The attacker prepares a specially crafted file with a .7z extension and drags it into the Help > Contents window of an open 7-Zip File Manager session. The resulting command executes under 7zFM.exe. Although the original advisory claimed privilege escalation, independent analyses dispute this finding and conclude the executed process runs at the same integrity level as the invoking user. The realistic impact is therefore arbitrary command execution rather than elevation to SYSTEM. Refer to the GitHub CVE-2022-29072 Repository and the Packet Storm Code Execution Advisory for the original technical write-ups.
Detection Methods for CVE-2022-29072
Indicators of Compromise
- Unexpected child processes spawned by 7zFM.exe, particularly cmd.exe, powershell.exe, or HH.exe with unusual command-line arguments
- Presence of .7z files with embedded path traversal sequences or unusually long names placed in user-writable directories
- Modification timestamps on 7z.dll that do not match the installed 7-Zip package version
Detection Strategies
- Monitor process creation events (Windows Event ID 4688 or Sysmon Event ID 1) where the parent process is 7zFM.exe and the child process is a command interpreter or scripting host
- Hunt for invocations of HH.exe originating from 7-Zip with non-standard .chm or shell arguments
- Inspect endpoint telemetry for heap corruption indicators in 7zFM.exe, such as access violations followed by child process creation
Monitoring Recommendations
- Enable Sysmon with rules covering process creation, image loads of 7z.dll, and file creation events for .7z artifacts in temporary directories
- Forward 7-Zip-related telemetry to a centralized analytics platform for correlation against user logon sessions
- Alert on any administrative or service account interactively running 7zFM.exe, which is typically a user-mode application
How to Mitigate CVE-2022-29072
Immediate Actions Required
- Upgrade 7-Zip to version 22.00 or later, which removes the vulnerable Help integration path
- Restrict installation of 7-Zip on multi-user systems where untrusted users may stage .7z payloads
- Remove the legacy 7-zip.chm help file from production endpoints if upgrade is delayed
Patch Information
7-Zip versions through 21.07 are vulnerable. The maintainer addressed the Help subsystem behavior in version 22.00. No vendor advisory URL is recorded in the NVD entry; users should obtain the updated installer directly from the official 7-Zip distribution. Track community discussion via the SourceForge 7-Zip Bug Report and the Hacker News Discussion Thread.
Workarounds
- Delete or rename 7-zip.chm in the 7-Zip installation directory to disable the Help > Contents feature
- Apply application control policies that prevent 7zFM.exe from spawning command interpreters such as cmd.exe, powershell.exe, and wscript.exe
- Train users to open archives through right-click context menus rather than the graphical File Manager when handling untrusted files
# Configuration example: remove the help file to neutralize the attack surface
del "C:\Program Files\7-Zip\7-zip.chm"
# Optional: block 7zFM.exe from launching command interpreters via WDAC or AppLocker
# Example AppLocker rule logic (pseudocode)
# Deny: Path=%PROGRAMFILES%\7-Zip\7zFM.exe -> Child: cmd.exe, powershell.exe, hh.exe
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
