Out-of-Bounds Heap Read in NanaZip File Archiving Software
CVE-2026-26282

5.2MEDIUM

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 19 February 2026

What is CVE-2026-26282?

NanaZip, an open-source file archiving tool, is affected by an out-of-bounds heap read exploit that occurs in the .NET Single File bundle header parser. This vulnerability, present in versions prior to 6.0.1630.0, arises due to a missing bounds check, which allows attackers to craft malicious files that can trigger crashes or leak sensitive heap data to users. It is crucial for users to update to version 6.0.1630.0 to mitigate this issue. For more information, see the security advisory and proof of concept linked below.

Affected Version(s)

NanaZip >= 5.0.1252.0, < 6.0.1630.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

https://github.com/user-attachments/files/25274143/poc.ex...

x_refsource_MISC

CVSS V4

Score:

5.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 19, 2026
Vulnerability Reserved
Feb 12, 2026

CVE-2026-26282 Data

JSON

M2team

What is CVE-2026-26282?

Affected Version(s)

References

CVSS V4

Timeline