Stack-Based Out-of-Bounds Read in NanaZip File Archive by M2Team
CVE-2026-42446

4.4MEDIUM

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42446?

NanaZip, an open-source file archiving tool, contains a stack-based out-of-bounds read vulnerability within its ZealFS filesystem image parser. This issue arises when processing a specially crafted ZealFS v1 filesystem image, where an attacker can manipulate the BitmapSize field in the file header. This manipulation triggers an unbounded loop that reads beyond the allocated stack memory for the ZEALFS_V1_HEADER structure. The vulnerability has been addressed in version 6.0.1698.0. It is essential for users to update to the latest version to mitigate potential security risks.

Affected Version(s)

NanaZip >= 5.0.1250.0, < 6.0.1698.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.4

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42446 Data

JSON

M2team

What is CVE-2026-42446?

Affected Version(s)

References

CVSS V3.1

Timeline