{"id":"CVE-2026-55206","summary":"py7zr: O(n^2) algorithmic complexity DoS in PackInfo._read()","details":"py7zr is a Python-based library and utility to support 7zip archive compression, decompression, encryption and decryption. Prior to 1.1.3, PackInfo._read() in archiveinfo.py used an O(n^2) cumulative sum pattern for attacker-controlled numstreams values parsed from archive headers, allowing a crafted .7z archive to cause excessive CPU consumption during SevenZipFile.init() before extraction. This issue is fixed in version 1.1.3.","aliases":["GHSA-h4gh-22qq-72r7","PYSEC-2026-2973"],"modified":"2026-07-13T16:43:06.899048591Z","published":"2026-07-08T20:32:09.905Z","related":["openSUSE-SU-2026:11112-1","openSUSE-SU-2026:21159-1"],"database_specific":{"cna_assigner":"GitHub_M","cwe_ids":["CWE-407"],"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55206.json"},"references":[{"type":"WEB","url":"https://github.com/miurahr/py7zr/releases/tag/v1.1.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/55xxx/CVE-2026-55206.json"},{"type":"ADVISORY","url":"https://github.com/miurahr/py7zr/security/advisories/GHSA-h4gh-22qq-72r7"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-55206"},{"type":"FIX","url":"https://github.com/miurahr/py7zr/commit/d7aa3a197d15c75a65b24f796d3a69f83806d3f8"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/miurahr/py7zr","events":[{"introduced":"0"},{"fixed":"d7aa3a197d15c75a65b24f796d3a69f83806d3f8"},{"fixed":"e278bc05cc937ecd1ee62bc6a058db3a21e66614"}],"database_specific":{"source":["AFFECTED_FIELD","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"1.1.3"}]}}],"versions":["v1.1.2","v1.1.0","v1.1.0rc4","v1.1.0rc3","v1.1.0rc2","v1.0.0rc3","v1.0.0rc2","v1.0.0-rc1","v0.22.0","v0.21.1","v0.21.0","v0.20.8","v0.20.7","v0.20.6","v0.20.5","v0.20.4","v0.20.2","v0.20.1","v0.20.0","v0.18.9","v0.18.7","v0.18.6","v0.18.5","v0.18.4","v0.18.3","v0.18.1","v0.18.0","v0.17.4","v0.17.3","v0.17.2","v0.17.1","v0.17.0","v0.16.4","v0.16.3","v0.16.2","v0.16.1","v0.16.0","v0.15.2","v0.15.1","v0.15.0","v0.14.1","v0.13.0","v0.14.0","v0.12.0","v0.11.3","v0.10.1","v0.11.2","v0.11.1","v0.11.0","v0.10.0a1","v0.9.2","v0.9.1","v0.9.0","v0.9.0b3","v0.9.0b2","v0.9.0b1","v0.9.0a2","v0.8.0","v0.9.0a1","v0.8.0b8","v0.8.0b7","v0.8.0b6","v0.8.0b5","v0.8.0b4","v0.8.0b3","v0.7.3","v0.8.0b2","v0.8.0b1","v0.8.0a3","v0.8.0a2","v0.8.0a1","v0.7.2","v0.7.1","v0.7.0","v0.7.0b3","v0.7.0b2","v0.7.0b1","v0.6","v0.6rc","v0.6b8","v0.6b7","v0.6b6","v0.6b5","v0.6b4","v0.6b3","v0.6b2","v0.6b1","v0.6a2","v0.6a1","v0.5b6","v0.5b5","v0.5b4","v0.5b3","v0.5b2","v0.5b1","v0.5a4","v0.5a3","v0.5a2","v0.5a1","v0.4b1","v0.4a2","v0.4a1","v0.3.5","v0.3.4","v0.3.3","v0.3.2","v0.3.1","v0.3","v0.2.0","v0.1.6","v0.1.5","v0.1.4","v0.1.3","v0.1.2","v0.1.1","v0.1.0","v0.0.8","v0.0.7","v0.0.6","v0.0.5","v0.0.4","v0.0.3","v0.0.2","v0.0.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-55206.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}