Heap Out-of-Bounds Read in NanaZip Affects Windows Users
CVE-2026-47222
5.4MEDIUM
What is CVE-2026-47222?
A heap out-of-bounds read vulnerability exists in NanaZip, a 7-Zip derivative, affecting versions from 3.0.1000.0 to before 6.0.1698.0. An issue in the Android Verified Boot (AVB) vbmeta image parser creates opportunities for exploitation via an attacker-controlled value_num_bytes field. This oversight in bounds checking may allow a crafted .avb or .img file to manipulate memory access, leading to a crash due to reading beyond the intended buffer limit, resulting in a denial of service when the application is engaged. Users are advised to update to stable version 6.0.1698.0 or preview version 6.5.1742.0 to mitigate this vulnerability. For additional details, visit the security advisory on GitHub.
Affected Version(s)
NanaZip >= 3.0.1000.0, < 6.0.1698.0
