Description
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Application` parser. A crafted bundle can force an integer underflow in header-size calculation and trigger an unbounded memory allocation attempt during archive open. Versions 6.0.1638.0 and 6.5.1638.0 fix the issue.
Published: 2026-02-25
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

NanaZip, an open‑source .NET archive extractor, has a flaw in its single‑file parser where an integer underflow can be triggered during the header‑size calculation of a crafted bundle. The underflow leads to an unbounded memory allocation attempt when opening the archive, effectively exhausting system resources and causing a denial‑of‑service condition. The weakness corresponds to CWE‑191 (Integer Underflow).

Affected Systems

The vulnerability affects M2Team’s NanaZip starting at version 5.0.1252.0 and all releases up to but not including 6.0.1638.0 and 6.5.1638.0. Users running any of those earlier builds, particularly when processing untrusted archives, are vulnerable. The issue is fixed in NanaZip 6.0.1638.0 and 6.5.1638.0.

Risk and Exploitability

The CVSS base score of 5.1 indicates moderate impact, while the EPSS score of less than 1% suggests a low likelihood of exploitation. The vulnerability is not listed in CISA’s KEV catalog. Exploitation requires a maliciously crafted archive that the application processes; the attack vector is therefore local file opening or via any avenue that allows an attacker to supply an archive to NanaZip. In such scenarios, the attacker could trigger a DoS by causing the application to attempt an unbounded memory allocation.

Generated by OpenCVE AI on April 18, 2026 at 10:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1638.0 or later.
  • If an upgrade is not possible, restrict archive processing to trusted sources only and validate files before extraction.
  • Run NanaZip within a sandbox or set strict memory limits to mitigate potential resource exhaustion.

Generated by OpenCVE AI on April 18, 2026 at 10:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 27 Feb 2026 18:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.0, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H'}

Thu, 26 Feb 2026 13:30:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Thu, 26 Feb 2026 00:00:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a denial-of-service vulnerability exists in NanaZip’s `.NET Single File Application` parser. A crafted bundle can force an integer underflow in header-size calculation and trigger an unbounded memory allocation attempt during archive open. Versions 6.0.1638.0 and 6.5.1638.0 fix the issue.
Title NanaZip .NET Single-File Parser Integer Underflow Leads to Unbounded Allocation (DoS)
Weaknesses CWE-191
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-26T15:48:29.934Z

Reserved: 2026-02-23T17:56:51.203Z

Link: CVE-2026-27710

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Analyzed

Published: 2026-02-26T00:16:24.663

Modified: 2026-02-27T17:53:13.927

Link: CVE-2026-27710

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T10:45:43Z

Weaknesses