Buffer Allocation Vulnerability in NanaZip Product by M2Team
CVE-2026-55780
2.4LOW
What is CVE-2026-55780?
NanaZip, a modern derivative of 7-Zip designed for Windows, suffers from a buffer allocation issue in its .NET single-file bundle handler. The flaw arises when the extraction buffer is sized based solely on the bundle entry Size field, which lacks proper validation against the actual file size. This inadequacy can be exploited by crafted bundles, leading to attacker-chosen memory allocations. Such conditions may result in std::bad_alloc or std::length_error exceptions escaping through the COM STDMETHODCALLTYPE boundary, potentially causing the application to crash. This vulnerability has been addressed in version 6.5.1749.0.
Affected Version(s)
NanaZip < 6.5.1749.0
