Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a stack-based out-of-bounds read exists in the ZealFS filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted ZealFS v1 filesystem image. An attacker-controlled BitmapSize field in the file header drives an unbounded loop that reads past the end of a stack-allocated ZEALFS_V1_HEADER structure. This vulnerability is fixed in 6.0.1698.0.
Published: 2026-05-12
Score: 4.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A stack-based out-of-bounds read exists in the ZealFS bitmap parser of NanaZip. The vulnerability is triggered by opening a crafted ZealFS v1 filesystem image whose header contains an attacker‑controlled BitmapSize value; this value drives an unbounded loop that reads beyond the end of the stack‑allocated ZEALFS_V1_HEADER structure. The read can potentially expose data residing after the stack frame, leading to information disclosure, or cause a crash if the memory pattern is invalid.

Affected Systems

M2Team’s NanaZip from version 5.0.1252.0 up to, but not including, 6.0.1698.0 is affected. Users who browse or open ZealFS v1 filesystem images with those versions are exposed.

Risk and Exploitability

The CVSS score of 4.4 indicates moderate baseline severity. No EPSS data is available, and the vulnerability is not listed in KEV, suggesting limited known exploitation. The likely attack vector is local file usage: an attacker must craft a ZealFS v1 image and distribute it so that a user opens it with NanaZip. Exploiting the vulnerability can reveal sensitive data from process memory but does not provide controlled code execution or persistence.

Generated by OpenCVE AI on May 12, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1698.0 or later.
  • If upgrade is not immediately possible, refuse or isolate all ZealFS v1 image files from untrusted sources and avoid opening them with NanaZip.
  • Run NanaZip in a sandbox or minimal‑privilege environment to limit exposure from any memory read errors.

Generated by OpenCVE AI on May 12, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 14 May 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*

Wed, 13 May 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a stack-based out-of-bounds read exists in the ZealFS filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted ZealFS v1 filesystem image. An attacker-controlled BitmapSize field in the file header drives an unbounded loop that reads past the end of a stack-allocated ZEALFS_V1_HEADER structure. This vulnerability is fixed in 6.0.1698.0.
Title NanaZip: Stack out-of-bounds read in NanaZip ZealFS bitmap parser
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.4, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-13T14:17:19.904Z

Reserved: 2026-04-27T13:55:58.693Z

Link: CVE-2026-42446

cve-icon Vulnrichment

Updated: 2026-05-13T14:17:14.115Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-12T20:16:41.900

Modified: 2026-05-14T15:49:25.953

Link: CVE-2026-42446

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T22:45:15Z

Weaknesses