Out-of-Bounds Read in NanaZip Affects File Archive Operations
CVE-2026-27709

5.1MEDIUM

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 25 February 2026

What is CVE-2026-27709?

NanaZip, an open source file archiving tool, contains an out-of-bounds read vulnerability in its '.NET Single File Application' parser. This issue arises when the parser handles a crafted bundle with a malformed 'RelativePathLength'. Consequently, the parser attempts to construct a 'std::string' from memory beyond the 'HeaderBuffer', which may lead to unexpected application crashes and potential exposure of sensitive in-process memory content. Users are advised to update to versions 6.0.1638.0 or 6.5.1638.0 to mitigate this vulnerability.

Affected Version(s)

NanaZip >= 5.0.1252.0, < 6.0.1638.0 < 5.0.1252.0, 6.0.1638.0

NanaZip >= 6.1, < 6.5.1638.0 < 6.1, 6.5.1638.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V4

Score:

5.1

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 25, 2026
Vulnerability Reserved
Feb 23, 2026

CVE-2026-27709 Data

JSON

M2team

What is CVE-2026-27709?

Affected Version(s)

References

CVSS V4

Timeline