Description
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Published: 2026-06-12
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A heap out‑of‑bounds read was discovered in NanaZip’s Android Verified Boot (AVB) vbmeta image parser, which may be triggered by an attacker‑controlled value_num_bytes field that underflows during bounds checking. The resulting unsigned integer underflow allows the AddNameToString routine to read memory up to ~4 GiB past a 64 KiB heap buffer, causing a deterministic crash when the application opens a crafted .avb or .img file. This crash results in denial of service and is associated with CWE‑125 and CWE‑191 weaknesses.

Affected Systems

The vulnerability affects the NanaZip product produced by M2Team, specifically versions ranging from 3.0.1000.0 through the pre‑6.0.1698.0 releases. The stable 6.0.1698.0 release and preview 6.5.1742.0 contain the fix. NanaZip is a derivative of 7‑Zip and provides a modern Windows archive utility.

Risk and Exploitability

With a CVSS base score of 5.4, this issue is considered medium severity. The EPSS score of less than 1 % indicates a very low probability of exploitation in the wild, and the vulnerability is not listed in the CISA KEV catalog. The attack vector is local, requiring the attacker to supply a crafted .avb or .img file that the user or a script opens with NanaZip; no remote code execution or privilege escalation is possible. The deterministic crash provides an observable denial‑of‑service effect but does not expose destructive memory corruption or data exfiltration.

Generated by OpenCVE AI on June 12, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to NanaZip 6.0.1698.0 or newer, which includes the AVC parser fix.
  • Until the upgrade can be applied, avoid opening untrusted .avb or .img files with NanaZip.
  • Restart the application after updating to ensure the memory heap is re‑initialized and to clear any residual corrupted state.

Generated by OpenCVE AI on June 12, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 19:15:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Fri, 12 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Title NanaZip: Heap out-of-bounds read in NanaZip AVB property descriptor parser via unsigned integer underflow
Weaknesses CWE-125
CWE-191
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T17:16:04.731Z

Reserved: 2026-05-18T22:25:21.258Z

Link: CVE-2026-47222

cve-icon Vulnrichment

Updated: 2026-06-12T17:12:37.972Z

cve-icon NVD

Status : Received

Published: 2026-06-12T17:16:24.087

Modified: 2026-06-12T18:16:34.533

Link: CVE-2026-47222

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:00:20Z

Weaknesses
  • CWE-125

    Out-of-bounds Read

  • CWE-191

    Integer Underflow (Wrap or Wraparound)