CVE-2026-47222

MEDIUM 5.4

NanaZip: Heap out-of-bounds read in NanaZip AVB property descriptor parser via unsigned integer underflow

CVSS Score

5.4

EPSS Score

0.0%

EPSS Percentile

15th

NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.

CWE	CWE-125 CWE-191
Vendor	m2team
Product	nanazip
Published	Jun 12, 2026
Last Updated	Jun 12, 2026

Stay Ahead of the Next One

Get instant alerts for m2team nanazip

Be the first to know when new medium vulnerabilities affecting m2team nanazip are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

Low

Affected Versions

M2Team / NanaZip

>= 3.0.1000.0, < 6.0.1698.0

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/M2Team/NanaZip/security/advisories/GHSA-mqqj-crf3-6q37