CVE-2026-27014 is a vulnerability classified under CWE-674 (Uncontrolled Recursion) affecting the open-source file archiver NanaZip developed by M2Team. Specifically, the flaw exists in the ROMFS archive parser component of NanaZip versions starting from 5.0.1252.0 up to but not including 6.0.1630.0. The vulnerability is triggered when the parser encounters circular NextOffset chains within the ROMFS archive format, which causes an infinite loop, or when it processes deeply nested directory structures that lead to unbounded recursion. This unbounded recursion can result in a stack overflow, causing the application to crash or behave unpredictably. The vulnerability does not require authentication but does require local access with low privileges and some user interaction, such as opening a crafted archive file. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with the vector indicating local attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on availability. No known exploits are reported in the wild as of the publication date. The issue was addressed and patched in NanaZip version 6.0.1630.0. This vulnerability can be leveraged to cause denial of service conditions, potentially disrupting workflows or automated processes that rely on NanaZip for archive extraction or management.

The primary impact of CVE-2026-27014 is denial of service (DoS) through application or system crashes caused by stack overflow or infinite loops in the archive parser. This can disrupt business operations, especially in environments where NanaZip is integrated into automated file processing pipelines or used extensively for archive management. While the vulnerability does not allow direct code execution or privilege escalation, the DoS can lead to loss of availability of critical tools or systems. In multi-user environments, an attacker with local access could exploit this vulnerability to degrade system reliability or cause interruptions. Additionally, if NanaZip is used in security-sensitive contexts, such as scanning or unpacking archives in sandboxed environments, the vulnerability could be used to evade detection or cause resource exhaustion. The lack of known exploits limits immediate risk, but the medium severity and ease of triggering via crafted archives warrant timely mitigation.

Organizations should upgrade NanaZip to version 6.0.1630.0 or later, where the vulnerability has been patched. Until the update can be applied, users should avoid opening ROMFS archives from untrusted or unknown sources, especially those with deeply nested directories or suspicious structures. Implementing file scanning and validation controls to detect malformed or suspicious archive files can reduce risk. Restricting local user permissions to prevent unauthorized archive extraction and monitoring application crashes or abnormal behavior related to NanaZip can help detect exploitation attempts. For environments with automated archive processing, consider sandboxing NanaZip processes or using alternative archiving tools without this vulnerability. Security teams should also educate users about the risks of opening untrusted archives and maintain up-to-date software inventories to identify affected versions promptly.