Heap Out-of-Bounds Read in NanaZip by M2Team
CVE-2026-47223
5.4MEDIUM
What is CVE-2026-47223?
NanaZip, a derivative of 7-Zip, is vulnerable to a heap out-of-bounds read due to a flaw in its Android Verified Boot (AVB) vbmeta image parser. This vulnerability affects versions from 3.0.1000.0 to prior to 6.0.1698.0, where improper handling of the salt_len field allows an attacker to potentially perform memory operations beyond the intended limits. This issue can lead to program instability and may allow an attacker to exploit the memory space. Fortunately, it has been addressed in stable release 6.0.1698.0 and preview release 6.5.1742.0. For more details, you can visit the NanaZip security advisory.
Affected Version(s)
NanaZip >= 3.0.1000.0, < 6.0.1698.0
