CVE-2026-27114 is a vulnerability classified under CWE-835 (Loop with Unreachable Exit Condition) affecting the open-source file archiver NanaZip. Specifically, the flaw exists in the ROMFS archive parser component of NanaZip versions starting from 5.0.1252.0 up to but excluding 6.0.1630.0. The vulnerability arises when the parser encounters circular NextOffset chains within ROMFS archives, causing the parser to enter an infinite loop. This infinite loop results in a denial of service (DoS) condition by exhausting CPU resources or causing the application to hang indefinitely. The attack vector is local (AV:L), requiring the attacker to have limited privileges (PR:L) and user interaction (UI:P) to trigger the condition, such as opening or processing a crafted archive file. The vulnerability does not affect confidentiality or integrity but has a high impact on availability. The CVSS 4.0 base score is 5.1, reflecting medium severity. The issue was publicly disclosed on February 19, 2026, and patched in NanaZip version 6.0.1630.0. No known exploits have been reported in the wild, but the vulnerability could be leveraged by attackers to disrupt systems relying on affected versions of NanaZip for archive management.

The primary impact of CVE-2026-27114 is denial of service through application hang or resource exhaustion caused by an infinite loop in the archive parser. Organizations using vulnerable versions of NanaZip may experience system instability or unavailability of services that depend on archive extraction or processing. This can disrupt workflows, especially in environments where automated or bulk archive handling is common. Although the vulnerability requires local access and user interaction, it could be exploited by malicious insiders or through social engineering to deliver crafted archives. The lack of confidentiality or integrity impact limits the risk of data leakage or corruption, but availability disruption can still have significant operational consequences. Systems with high reliance on NanaZip for file management, such as software development, digital forensics, or backup solutions, are particularly at risk. The absence of known exploits reduces immediate threat but does not eliminate the risk of future exploitation.

To mitigate this vulnerability, organizations should upgrade NanaZip to version 6.0.1630.0 or later, where the infinite loop issue is patched. Until the update can be applied, restrict the use of NanaZip to trusted users and avoid opening untrusted or suspicious ROMFS archives. Implement application whitelisting and endpoint protection to detect and block attempts to process malicious archives. Monitor system resource usage for unusual spikes that could indicate exploitation attempts. Educate users about the risks of opening files from unverified sources, especially archives. For environments where NanaZip is integrated into automated workflows, validate and sanitize archive inputs before processing. Consider alternative archive tools that do not exhibit this vulnerability if immediate patching is not feasible. Maintain up-to-date backups and incident response plans to quickly recover from potential denial of service incidents.