Description
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler). The vulnerability is triggered when opening a crafted LVM disk image. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Published: 2026-06-12
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NanaZip's LVM2 physical‑volume metadata parser contains a heap buffer‑overflow read that can be triggered by opening a crafted LVM disk image. The flaw allows an attacker to read data beyond the bounds of the allocated buffer, potentially exposing sensitive memory contents or causing a crash. This vulnerability is a classic out‑of‑bounds read (CWE‑125) and does not directly lead to code execution.

Affected Systems

The issue affects M2Team NanaZip versions from 3.0.1000.0 up to, but not including, 6.0.1698.0. Versions 6.0.1698.0 and newer, as well as preview 6.5.1742.0, contain the fix and are safe to use.

Risk and Exploitability

With a CVSS score of 4.3 the risk is considered medium, and the EPSS score of less than 1% indicates a low likelihood of exploitation. NanaZip is a desktop application, so the attack requires local user interaction with a malicious LVM image; it therefore lacks a network exposure vector and is not listed in CISA's KEV catalog.

Generated by OpenCVE AI on June 12, 2026 at 18:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the NanaZip update to version 6.0.1698.0 or later (or the preview 6.5.1742.0 if available).
  • If an update cannot be applied immediately, block the processing of LVM disk images or configure NanaZip (or an alternate archive tool) to disable LVM support to avoid the vulnerable parser.
  • If NanaZip is not required for archive operations, replace it with an alternative compression tool that does not handle LVM images or other unsupported features.

Generated by OpenCVE AI on June 12, 2026 at 18:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 12 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 12 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Fri, 12 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Description NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler). The vulnerability is triggered when opening a crafted LVM disk image. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Title NanaZip: Heap buffer-overflow read in NanaZip LVM metadata CRC check
Weaknesses CWE-125
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-12T20:01:40.153Z

Reserved: 2026-05-18T22:25:21.259Z

Link: CVE-2026-47224

cve-icon Vulnrichment

Updated: 2026-06-12T20:01:36.885Z

cve-icon NVD

Status : Received

Published: 2026-06-12T17:16:24.227

Modified: 2026-06-12T17:16:24.227

Link: CVE-2026-47224

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T19:00:21Z

Weaknesses