EUVD-2026-36508Severity by source
AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
File-based delivery requires user to open archive (UI:R, PR:N); heap out-of-bounds read yields partial disclosure and crash risk but no write primitive (C:L, I:N, A:L).
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L
Lifecycle Timeline
3DescriptionCVE.org
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
AnalysisAI
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser allows unauthenticated remote attackers to read up to approximately 4 GiB of heap memory or crash the application by delivering a crafted archive to a Windows user who opens it. Affected versions span 3.0.1000.0 through all releases before 6.0.1698.0, with the vulnerability rooted in an inherited integer overflow flaw in 7-Zip's upstream AvbHandler. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a victim user on Windows to actively open a specially crafted file that contains a malformed Android Verified Boot (AVB) vbmeta image using a NanaZip installation in the affected version range (3.0.1000.0 to before 6.0.1698.0). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD CVSS 3.1 score of 5.4 Medium is coherent with the attack profile: network-accessible (AV:N), no authentication required (PR:N), and low complexity (AC:L), but gated by mandatory user interaction (UI:R) - the victim must open a malicious archive. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a malicious archive embedding an AVB vbmeta image with an oversized `salt_len` field calculated to cause the 32-bit overflow that defeats the `pos + ht.salt_len > descSize` bounds check. The file is delivered to a Windows target via phishing email, malicious download, or shared network storage, and the victim opens it with a vulnerable NanaZip version. … |
| Remediation | Upgrade NanaZip to stable version 6.0.1698.0 or preview version 6.5.1742.0, both confirmed as patched by the vendor in the GitHub Security Advisory GHSA-qhc5-mh6j-4g75 at https://github.com/M2Team/NanaZip/security/advisories/GHSA-qhc5-mh6j-4g75. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
More from same product – last 7 days
Heap out-of-bounds read in NanaZip's Android Verified Boot (AVB) vbmeta image parser crashes the application and may lea
Heap out-of-bounds read in NanaZip's inherited 7-Zip LvmHandler component allows an unauthenticated remote attacker to c
Share
External POC / Exploit Code
Leaving vuln.today