CVE-2026-47223 - Vulnerability Details

- NanaZip: Heap out-of-bounds read in NanaZip AVB hashtree descriptor parser via 32-bit unsigned integer overflow

Description

NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.

Published: 2026-06-12

Score: 5.4 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

NanaZip, a 7‑Zip derivative for Windows, contains a 32‑bit unsigned integer overflow in the Android Verified Boot (AVB) vbmeta image parser. The overflow occurs in the bounds check pos + ht.salt_len > descSize, allowing an attacker-controlled salt_len field to bypass validation. Consequently, CByteBuffer::CopyFrom may memcpy up to roughly 4 GiB beyond the intended heap buffer, resulting in an out-of-bounds read that can reveal arbitrary memory contents. This flaw can potentially expose sensitive information and, in worst-case scenarios, lead to a denial-of-service through a crash.

Affected Systems

M2Team’s NanaZip versions from 3.0.1000.0 up to, but not including, 6.0.1698.0 are vulnerable. The issue was fixed in stable release 6.0.1698.0 and preview 6.5.1742.0, so any installation of NanaZip older than those two releases is impacted.

Risk and Exploitability

The CVSS base score of 5.4 indicates moderate severity, while the EPSS score of less than 1 % conveys a very low likelihood of exploitation at present. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires an attacker to supply a malicious vbmeta image or otherwise control the salt_len field, which suggests a local or privileged attack surface rather than a remote trigger. Nonetheless, the potential for memory disclosure warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

M2Team

NanaZip

affected

Version	Status	Constraints
`>= 3.0.1000.0, < 6.0.1698.0`	affected	—

No data.

Vendor Product Confidence Versions

M2team

Nanazip

100%

Version	Status	Scheme	Platform
`[3.0.1000.0,6.0.1698.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to NanaZip 6.0.1698.0 or newer.
If an immediate upgrade is not possible, restrict the processing of vbmeta images to trusted sources and validate input sizes strictly before parsing.
As a temporary measure, disable AVB parsing if the feature is not required for your deployment.

Generated by OpenCVE AI on June 12, 2026 at 19:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00046.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/M2Team/NanaZip/security/advisories/GHSA-qhc5-mh6j-4g75

History

Sat, 13 Jun 2026 04:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Fri, 12 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		M2team M2team nanazip
Vendors & Products		M2team M2team nanazip

Fri, 12 Jun 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Title		NanaZip: Heap out-of-bounds read in NanaZip AVB hashtree descriptor parser via 32-bit unsigned integer overflow
Weaknesses		CWE-125 CWE-190
References		https://github.com/M2Team/NanaZip/security/advisories/GHSA-qhc5-mh6j-4g75
Metrics		cvssV3_1 `{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L'}`

Subscriptions

M2team Nanazip

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-12T17:06:15.385Z

Updated: 2026-06-13T03:23:46.667Z

Reserved: 2026-05-18T22:25:21.259Z

Link: CVE-2026-47223

Vulnrichment

Updated: 2026-06-13T03:22:39.232Z

NVD

Status : Received

Published: 2026-06-12T18:16:34.640

Modified: 2026-06-13T04:17:32.413

Link: CVE-2026-47223

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-12T19:45:27Z

Weaknesses

CWE-125
Out-of-bounds Read
CWE-190
Integer Overflow or Wraparound

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact Low

User Interaction Required

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object