Circular NextOffset Chains Vulnerability in NanaZip by M2Team
CVE-2026-27014

5.1MEDIUM

Key Information:

Vendor

M2team

Status
Nanazip
Vendor
CVE Published:
19 February 2026

What is CVE-2026-27014?

NanaZip versions from 5.0.1252.0 up to 6.0.1630.0 experience security vulnerabilities due to circular NextOffset chains, leading to infinite loops and deeply nested directories creating unbounded recursion in the ROMFS archive parser. These issues can cause stack overflow errors, potentially disrupting service and leading to application instability. The vulnerability has been addressed in NanaZip version 6.0.1630.0.

Affected Version(s)

NanaZip >= 5.0.1252.0, < 6.0.1630.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...
x_refsource_CONFIRM

CVSS V4

Score:
5.1
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.