CVE-2026-27014 is a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting the NanaZip open-source file archiving tool developed by M2Team. Specifically, the flaw exists in the ROMFS archive parser component of NanaZip versions starting from 5.0.1252.0 up to 6.0.1630.0. The vulnerability manifests when the parser encounters circular NextOffset chains within an archive or deeply nested directory structures. These conditions cause the parser to enter an infinite loop or trigger unbounded recursion, resulting in a stack overflow. This uncontrolled recursion can crash the application, leading to denial of service. The vulnerability requires low privileges (local access) and some user interaction, such as opening a maliciously crafted archive file. The CVSS 4.0 base score is 5.1, reflecting medium severity, with attack vector local, low attack complexity, no privileges required beyond low, and user interaction needed. The vulnerability does not impact confidentiality, integrity, or availability beyond causing application crashes. No known exploits are reported in the wild as of the publication date. The issue was addressed and patched in NanaZip version 6.0.1630.0. Users of affected versions are advised to upgrade to the patched release to eliminate the risk.

The primary impact of CVE-2026-27014 is denial of service due to application crashes caused by infinite loops or stack overflows when processing maliciously crafted ROMFS archives. For organizations, this can disrupt workflows that rely on NanaZip for archive extraction or management, potentially halting automated processes or user activities involving archive files. While the vulnerability does not allow remote code execution or data exfiltration, repeated exploitation could degrade system stability or availability, especially in environments where NanaZip is integrated into automated pipelines or used frequently by multiple users. The requirement for local access and user interaction limits the attack surface, but insider threats or phishing attacks delivering malicious archives could still exploit this flaw. Overall, the impact is moderate, affecting availability of the application but not leading to broader system compromise.

To mitigate CVE-2026-27014, organizations should: 1) Upgrade NanaZip to version 6.0.1630.0 or later, where the vulnerability is patched. 2) Implement strict controls on archive files received from untrusted or unknown sources, including scanning and sandboxing before opening. 3) Educate users about the risks of opening archive files from suspicious emails or downloads to reduce the likelihood of user interaction with malicious files. 4) Where possible, restrict local user privileges to limit the ability to execute or open potentially harmful files. 5) Monitor application logs for crashes or unusual behavior related to archive processing that may indicate exploitation attempts. 6) Consider using alternative archive tools with robust security track records if NanaZip is not essential. These steps go beyond generic advice by focusing on patching, user awareness, and operational controls specific to archive handling.