CVE-2026-26282 is a buffer over-read vulnerability classified under CWE-126, affecting the open-source file archiver NanaZip. The vulnerability arises from a missing bounds check in the .NET Single File bundle header parser component of NanaZip versions starting from 5.0.1252.0 up to but not including 6.0.1630.0. When a user opens a specially crafted archive file, the parser reads beyond the allocated heap buffer, resulting in an out-of-bounds heap read. This can cause the application to crash or leak sensitive heap data to the user, potentially exposing information that resides in memory during parsing. The vulnerability requires the attacker to have local access with limited privileges and for the user to interact by opening the malicious file. No authentication beyond limited privileges is needed, and no network vector is involved. The CVSS 4.0 base score is 5.2, reflecting medium severity due to the limited attack vector and user interaction requirement. The flaw has not been reported exploited in the wild. The issue was addressed and patched in NanaZip version 6.0.1630.0 by adding proper bounds checking in the parser to prevent out-of-bounds reads.

The primary impact of this vulnerability is the potential for application crashes, leading to denial of service for the user running NanaZip. More critically, the out-of-bounds read can leak heap memory contents, which may include sensitive information such as file metadata, user data, or other in-memory secrets depending on the environment and usage context. Although the attacker requires local access and user interaction, this vulnerability could be leveraged in targeted attacks where malicious archive files are delivered via phishing or social engineering. Organizations relying on NanaZip for file archiving and extraction may face operational disruptions and risk of information disclosure. The scope is limited to affected versions and local users, but the risk is non-negligible in environments where untrusted files are handled frequently. Since no known exploits exist in the wild, the immediate threat is moderate, but the vulnerability should be addressed promptly to prevent future exploitation.

Organizations should upgrade NanaZip to version 6.0.1630.0 or later, where the vulnerability is patched. Until the update can be applied, users should avoid opening untrusted or suspicious archive files with affected versions of NanaZip. Implement endpoint security controls to detect and block malicious archive files and monitor for abnormal application crashes. Employ user training to recognize phishing attempts that may deliver crafted archives. Restrict local user privileges where possible to limit the ability to execute or open untrusted files. Additionally, consider using alternative, unaffected archiving tools for handling untrusted files. Regularly audit and update software dependencies to minimize exposure to known vulnerabilities.