Buffer Allocation Vulnerability in NanaZip Product by M2Team
CVE-2026-55780

2.4LOW

Key Information:

Vendor

M2team

Status
Vendor
CVE Published:
10 July 2026

What is CVE-2026-55780?

NanaZip, a modern derivative of 7-Zip designed for Windows, suffers from a buffer allocation issue in its .NET single-file bundle handler. The flaw arises when the extraction buffer is sized based solely on the bundle entry Size field, which lacks proper validation against the actual file size. This inadequacy can be exploited by crafted bundles, leading to attacker-chosen memory allocations. Such conditions may result in std::bad_alloc or std::length_error exceptions escaping through the COM STDMETHODCALLTYPE boundary, potentially causing the application to crash. This vulnerability has been addressed in version 6.5.1749.0.

Affected Version(s)

NanaZip < 6.5.1749.0

References

CVSS V4

Score:
2.4
Severity:
LOW
Confidentiality:
None
Integrity:
None
Availability:
Low
Attack Vector:
Local
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.