Apache Commons Compress 1.6 to 1.20 denial of service vulnerability
Description
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Commons Compress 1.6 to 1.20 can be forced to allocate excessive memory when reading a crafted 7Z archive, leading to denial of service.
Vulnerability
When reading a specially crafted 7Z archive, the SevenZFile class in Apache Commons Compress versions 1.6 through 1.20 can be made to allocate large amounts of memory, resulting in an out-of-memory error even for very small inputs [1]. The issue is tracked as COMPRESS-542 [2]. The vulnerability is present in the sevenz package.
Exploitation
An attacker needs to provide a malicious 7Z archive to a service that uses the SevenZFile class. No authentication or special privileges are required; the attacker only needs to supply the crafted archive. Starting with Compress 1.19, a feature to recover broken 7z archives was introduced, which makes exploitation far easier because the recovery code triggers the excessive memory allocation [2]. The attacker does not need to interact further after the archive is processed.
Impact
Successful exploitation leads to a denial of service (DoS) condition. The service consuming the archive will exhaust available memory and crash or become unresponsive. The impact is limited to availability; no data confidentiality or integrity is compromised.
Mitigation
Users should upgrade to Apache Commons Compress 1.21 or later, which contains the fix [2]. For users unable to upgrade, the recovery feature introduced in 1.19 can be disabled by not enabling it explicitly. Additionally, users can control the amount of memory SevenZFile may use via configuration options [2]. No workaround is available for versions prior to 1.19.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.commons:commons-compressMaven | < 1.21 | 1.21 |
Affected products
7- ghsa-coords6 versionspkg:maven/org.apache.commons/commons-compresspkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Leap%2015.2pkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/apache-commons-compress&distro=openSUSE%20Tumbleweedpkg:rpm/suse/apache-commons-compress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP2pkg:rpm/suse/apache-commons-compress&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Development%20Tools%2015%20SP3
< 1.21+ 5 more
- (no CPE)range: < 1.21
- (no CPE)range: < 1.21-lp152.2.3.1
- (no CPE)range: < 1.21-3.3.1
- (no CPE)range: < 1.21-1.2
- (no CPE)range: < 1.21-3.3.1
- (no CPE)range: < 1.21-3.3.1
- Apache Software Foundation/Apache Commons Compressv5Range: 1.6
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
31- github.com/advisories/GHSA-crv7-7245-f45fghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-35516ghsaADVISORY
- www.openwall.com/lists/oss-security/2021/07/13/2ghsamailing-listx_refsource_MLISTWEB
- commons.apache.org/proper/commons-compress/security-reports.htmlghsax_refsource_MISCWEB
- lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b%40%3Cdev.poi.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r67ef3c07fe3b8c1b02d48012149d280ad6da8e4cec253b527520fb2b@%3Cdev.poi.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r9f54c0caa462267e0cc68b49f141e91432b36b23348d18c65bd0d040@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/racd0c0381c8404f298b226cd9db2eaae965b14c9c568224aa3f437ae@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71%40%3Ccommits.pulsar.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb064d705fdfa44b5dae4c366b369ef6597951083196321773b983e71@%3Ccommits.pulsar.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb6e1fa80d34e5ada45f72655d84bfd90db0ca44ef19236a49198c88c@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rb7adf3e55359819e77230b4586521e5c6874ce5ed93384bdc14d6aee@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rba65ed5ddb0586f5b12598f55ec7db3633e7b7fede60466367fbf86a@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rd4332baaf6debd03d60deb7ec93bee49e5fdbe958cb6800dff7fb00e@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91%40%3Cannounce.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rf5b1016fb15b7118b9a5e16bb0b78cb4f1dfcf7821eb137ab5757c91@%3Cannounce.apache.org%3EghsaWEB
- lists.apache.org/thread.html/rf68442d67eb166f4b6cf0bbbe6c7f99098c12954f37332073c9822ca%40%3Cuser.commons.apache.org%3Eghsax_refsource_MISCWEB
- lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742%40%3Cnotifications.skywalking.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/rfba19167efc785ad3561e7ef29f340d65ac8f0d897aed00e0731e742@%3Cnotifications.skywalking.apache.org%3EghsaWEB
- security.netapp.com/advisory/ntap-20211022-0001ghsaWEB
- security.netapp.com/advisory/ntap-20211022-0001/mitrex_refsource_CONFIRM
- www.oracle.com/security-alerts/cpuapr2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujan2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpujul2022.htmlghsax_refsource_MISCWEB
- www.oracle.com/security-alerts/cpuoct2021.htmlghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.