Heap Out-of-Bounds Read in NanaZip Affects Windows Users
CVE-2026-47222

5.4MEDIUM

Key Information:

Vendor

M2team

Status
Vendor
CVE Published:
12 June 2026

What is CVE-2026-47222?

A heap out-of-bounds read vulnerability exists in NanaZip, a 7-Zip derivative, affecting versions from 3.0.1000.0 to before 6.0.1698.0. An issue in the Android Verified Boot (AVB) vbmeta image parser creates opportunities for exploitation via an attacker-controlled value_num_bytes field. This oversight in bounds checking may allow a crafted .avb or .img file to manipulate memory access, leading to a crash due to reading beyond the intended buffer limit, resulting in a denial of service when the application is engaged. Users are advised to update to stable version 6.0.1698.0 or preview version 6.5.1742.0 to mitigate this vulnerability. For additional details, visit the security advisory on GitHub.

Affected Version(s)

NanaZip >= 3.0.1000.0, < 6.0.1698.0

References

CVSS V3.1

Score:
5.4
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
Required
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.