Description
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.
Published: 2026-02-19
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

The vulnerability lies in the ROMFS archive parser of NanaZip, where circular NextOffset chains trigger an infinite loop. This behavior can consume all available CPU resources, leading to a denial of service. The flaw does not provide direct code execution or privilege escalation, so its impact is limited to service availability rather than confidentiality or integrity.

Affected Systems

The affected product is NanaZip by M2Team. Versions from 5.0.1252.0 up to and including 6.0.1629.9 are vulnerable. The issue was fixed in version 6.0.1630.0, which is now the recommended baseline.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity, and the EPSS score is below 1%, suggesting a low likelihood of exploitation. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog, which further reduces the risk assessment. The attack vector is inferred to be local or remote via a crafted ROMFS archive; an attacker would need to trigger the parser with malicious input, after which the infinite loop would degrade system availability. No publicly disclosed exploits are reported, but the low EPSS score implies limited active exploitation.

Generated by OpenCVE AI on April 17, 2026 at 17:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NanaZip version 6.0.1630.0 or later, which resolves the infinite loop.
  • If an upgrade is not feasible, configure the application to reject or ignore ROMFS archives, or use an alternative archive library that does not parse this format.
  • Monitor system resource usage and set limits or alerts for abnormal CPU consumption that may indicate an infinite loop condition.

Generated by OpenCVE AI on April 17, 2026 at 17:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 26 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.1630.0 patches the issue. NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.

Fri, 20 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 20 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Fri, 20 Feb 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Thu, 19 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.
Title NanaZip has ROMFS Archive Infinite Loop
Weaknesses CWE-835
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-25T23:38:03.518Z

Reserved: 2026-02-17T18:42:27.043Z

Link: CVE-2026-27114

cve-icon Vulnrichment

Updated: 2026-02-20T20:04:48.784Z

cve-icon NVD

Status : Modified

Published: 2026-02-19T21:18:32.390

Modified: 2026-02-26T00:16:23.630

Link: CVE-2026-27114

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:00:12Z

Weaknesses