Description
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulnerability in manifest parsing. A crafted bundle can provide a malformed `RelativePathLength` so the parser constructs a `std::string` from memory beyond `HeaderBuffer`, leading to crash and potential in-process memory disclosure. Versions 6.0.1638.0 and 6.5.1638.0 fix the issue.
Published: 2026-02-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Information Disclosure
Action: Patch
AI Analysis

Impact

The vulnerability is an out-of-bounds read that occurs when the .NET Single‑File Application parser in NanaZip constructs a string from memory beyond the header buffer. A malformed RelativePathLength field in a crafted archive causes the parser to read arbitrary memory, which can lead to a memory disclosure or a crash. The weakness is a missing boundary check (CWE‑125).

Affected Systems

The affected vendor is M2Team, product NanaZip. The issue exists in all releases from 5.0.1252.0 up to, but not including, 6.0.1638.0 and 6.5.1638.0. Versions 6.0.1638.0 and 6.5.1638.0 contain the fix for the parser vulnerability.

Risk and Exploitability

The CVSS score of 5.1 indicates moderate severity. The EPSS score is less than 1%, suggesting a low probability of real‑world exploitation at this time. The vulnerability is not listed in CISA’s KEV catalog. Exploitation would require delivery of a malicious archive that contains an invalid RelativePathLength; the attack is inferred to be local or remote depending on how the archive is supplied to the application, but no remote code execution is possible from the information provided.

Generated by OpenCVE AI on April 17, 2026 at 14:42 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1638.0 or later to apply the parser fix.
  • If an upgrade is not immediately possible, restrict the use of NanaZip to trusted archives and deny the application access to untrusted files.
  • Run NanaZip in a sandboxed or isolated environment to contain any potential memory disclosure and to detect crashes promptly.

Generated by OpenCVE AI on April 17, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 6.6, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H'}

Fri, 27 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Thu, 26 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, NanaZip’s `.NET Single File Application` parser has an out-of-bounds read vulnerability in manifest parsing. A crafted bundle can provide a malformed `RelativePathLength` so the parser constructs a `std::string` from memory beyond `HeaderBuffer`, leading to crash and potential in-process memory disclosure. Versions 6.0.1638.0 and 6.5.1638.0 fix the issue.
Title NanaZip .NET Single-File Manifest Parser Vulnerable to Out-of-Bounds Read via Unchecked RelativePathLength
Weaknesses CWE-125
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:49:04.311Z

Reserved: 2026-02-23T17:56:51.203Z

Link: CVE-2026-27709

cve-icon Vulnrichment

Updated: 2026-02-26T15:48:53.216Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:24.490

Modified: 2026-02-27T17:54:12.353

Link: CVE-2026-27709

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T14:45:21Z

Weaknesses