Skip to main content

Nanazip CVE-2026-27014

MEDIUM
Uncontrolled Recursion (CWE-674)
2026-02-19 security-advisories@github.com
5.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

3
Analysis Generated
Mar 12, 2026 - 22:03 vuln.today
PoC Detected
Feb 20, 2026 - 19:27 vuln.today
Public exploit code
CVE Published
Feb 19, 2026 - 21:18 nvd
MEDIUM 5.5

DescriptionGitHub Advisory

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular NextOffset chains cause an infinite loop, and deeply nested directories cause unbounded recursion (stack overflow) in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.

AnalysisAI

NanaZip versions 5.0.1252.0 through 6.0.1629.0 are vulnerable to denial of service through malformed ROMFS archives that trigger infinite loops via circular offset chains or stack overflow via deeply nested directory structures. Public exploit code exists for this vulnerability, allowing local attackers to crash the application and cause a denial of service. No patch is currently available.

Technical ContextAI

Classified as CWE-674 (Uncontrolled Recursion). Affects Nanazip. NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular NextOffset chains cause an infinite loop, and deeply nested directories cause unbounded recursion (stack overflow) in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.

RemediationAI

Monitor vendor advisories for a patch.

CVE-2026-27114 HIGH POC
7.5 Feb 19

Nanazip versions up to 6.0.1630.0 is affected by loop with unreachable exit condition (infinite loop) (CVSS 7.5).

CVE-2026-26282 MEDIUM POC
6.6 Feb 19

NanaZip versions 5.0.1252.0 through 6.0.1629.0 contain an out-of-bounds heap read in the .NET Single File bundle parser

CVE-2026-27711 MEDIUM POC
6.6 Feb 26

NanaZip versions 5.0.1252.0 through 6.5.1637.0 contain an out-of-bounds memory access flaw in the UFS file parser that c

CVE-2026-27709 MEDIUM POC
6.6 Feb 26

Out-of-bounds memory read in NanaZip versions 5.0.1252.0 through 6.0.1637.x allows local authenticated attackers to disc

CVE-2026-27710 MEDIUM POC
5.0 Feb 26

NanaZip versions 5.0.1252.0 through 6.5.1637.x contain an integer underflow in the .NET Single File Application parser t

CVE-2026-47223 MEDIUM
5.4 Jun 12

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attac

CVE-2026-47222 MEDIUM
5.4 Jun 12

Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may lea

CVE-2026-44215 MEDIUM
4.4 May 12

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a one-byte heap out-of-bounds null write e

CVE-2026-42446 MEDIUM
4.4 May 12

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a stack-based out-of-bounds read exists in

CVE-2026-47224 MEDIUM
4.3 Jun 12

Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to c

CVE-2026-42445 LOW
3.3 May 12

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability ex

CVE-2026-42444 LOW
3.3 May 12

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists i

Share

CVE-2026-27014 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy