Description
NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue.
Published: 2026-02-19
Score: 5.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Out-of-Bounds Heap Read Leading to Data Exposure or Crash
Action: Patch
AI Analysis

Impact

In NanaZip versions 5.0.1252.0 through 6.0.1629.999, the .NET Single File bundle header parser performs a missing bounds check, allowing an attacker to trigger an out-of-bounds heap read when a crafted archive is opened. The result is either a program crash or the leakage of sensitive heap data to the user, which may expose confidential information but does not directly allow code execution. The vulnerability is classified under CWE-125 and CWE-126 and carries a CVSS score of 5.2, indicating a moderate severity.

Affected Systems

The issue affects the M2Team NanaZip open‑source file archive application. Affected releases include all builds starting at version 5.0.1252.0 and up to, but not including, 6.0.1630.0. The patch is available in NanaZip 6.0.1630.0 and newer. Users of earlier versions are vulnerable.

Risk and Exploitability

The CVSS score of 5.2 reflects a moderate impact, while the EPSS score of less than 1 % indicates a very low likelihood of exploitation in the wild. NanaZip does not appear in the CISA KEV catalog. Because the flaw is triggered by opening a crafted archive file, the attack vector is inferred to be local or user‑initiated; no network‑based exploitation is described. An attacker who can supply a malicious file to a target user can cause a denial‑of‑service or information‑leak event, but cannot gain arbitrary code execution or remote foothold.

Generated by OpenCVE AI on April 17, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1630.0 or later, which contains the fix for the out‑of‑bounds read.
  • If an immediate upgrade is not possible, isolate the use of NanaZip from untrusted or externally supplied archives by applying file‑level permissions or running the application within a sandbox environment to contain a crash or data leakage.
  • Use a reputable antivirus or content‑analysis tool to scan archives before opening them with NanaZip, thereby reducing the chance that a malicious file triggers the heap read bug.

Generated by OpenCVE AI on April 17, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 19:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
CPEs cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Thu, 19 Feb 2026 21:00:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue.
Title NanaZip has DotNet Single file OOB Heap Read
Weaknesses CWE-126
References
Metrics cvssV4_0

{'score': 5.2, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-20T20:02:32.672Z

Reserved: 2026-02-12T17:10:53.414Z

Link: CVE-2026-26282

cve-icon Vulnrichment

Updated: 2026-02-20T20:02:25.006Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-19T21:18:31.500

Modified: 2026-02-20T19:42:56.213

Link: CVE-2026-26282

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses