CVE-2026-26282 is a buffer over-read vulnerability classified under CWE-126 affecting the NanaZip open-source file archiving tool developed by M2Team. The vulnerability arises from an out-of-bounds heap read in the .NET Single File bundle header parser component due to a missing bounds check during parsing operations. Specifically, when NanaZip processes a specially crafted archive file, it can read beyond the allocated heap buffer, potentially causing the application to crash or leak sensitive heap data to the user. This vulnerability affects NanaZip versions starting from 5.0.1252.0 up to but not including 6.0.1630.0, with the issue resolved in version 6.0.1630.0. The CVSS v4.0 base score is 5.2, indicating a medium severity level. The attack vector is local (AV:L), requiring low attack complexity (AC:L), no privileges required (PR:L), and some user interaction (UI:P). The vulnerability impacts confidentiality partially (VC:L) and availability highly (VA:H), but does not affect integrity or integrity scope. No known exploits have been reported in the wild. The vulnerability could be leveraged by an attacker with local access to cause denial of service or to leak potentially sensitive heap memory contents, which might contain residual data from previous operations. The flaw is particularly relevant for environments where NanaZip is used to open untrusted or potentially malicious archive files. The root cause is a missing bounds check in the parser, a common programming error leading to out-of-bounds memory access. The patch involves adding proper bounds validation to prevent reading beyond allocated buffers.

The primary impact of CVE-2026-26282 is the potential for denial of service through application crashes when processing maliciously crafted archive files. Additionally, the vulnerability can lead to partial leakage of heap memory contents, which may expose sensitive information if such data resides in the affected memory regions. Although the confidentiality impact is limited, any leaked data could be leveraged in further attacks depending on the environment. Since exploitation requires local access and user interaction to open a crafted file, the attack surface is somewhat constrained. However, in environments where NanaZip is used to handle files from untrusted sources or shared via removable media, the risk increases. Organizations relying on NanaZip for file decompression in user workstations or servers could face operational disruption or data exposure. The vulnerability does not allow remote exploitation or privilege escalation, limiting its scope. Nonetheless, the medium severity rating reflects the need for timely remediation to prevent potential abuse, especially in sensitive or high-security environments.

To mitigate CVE-2026-26282, organizations should immediately upgrade NanaZip to version 6.0.1630.0 or later, where the vulnerability is patched. Until the upgrade can be applied, restrict the use of NanaZip to trusted users and avoid opening archive files from untrusted or unknown sources. Implement endpoint protection controls to monitor and restrict execution of untrusted archive files. Employ application whitelisting to limit which applications can run on user systems, reducing the risk of exploitation. Educate users about the risks of opening files from unknown origins and enforce policies to scan all incoming files with updated antivirus and endpoint detection tools. For environments requiring higher security, consider sandboxing or isolating file extraction operations to contain potential crashes or data leaks. Regularly audit and update software dependencies to ensure timely application of security patches. Finally, monitor security advisories from M2Team and related communities for any emerging exploit reports or additional patches.