CVE-2026-26282

Description

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue.

CVSS breakdown

CVSS 4.0

Attack Vector

Local

Attack Complexity

Low

Attack Requirements

None

Privileges Required

Low

User Interaction

Passive

Confidentiality (Vulnerable System)

Low

Integrity (Vulnerable System)

None

Availability (Vulnerable System)

High

Confidentiality (Subsequent System)

None

Integrity (Subsequent System)

None

Availability (Subsequent System)

None

Affected products

M2Team / NanaZip>= 5.0.1252.0, < 6.0.1630.0 – >= 5.0.1252.0, < 6.0.1630.0

References

VENDOR_ADVISORYhttps://github.com/M2Team/NanaZip/security/advisories/GHSA-ccpc-2222-xv5c
MISChttps://github.com/user-attachments/files/25274143/poc.exe.zip