CVE-2026-27114 is a vulnerability classified under CWE-835 (Loop with Unreachable Exit Condition) found in the NanaZip file archiver software developed by M2Team. The issue specifically affects the ROMFS archive parser component in NanaZip versions starting from 5.0.1252.0 up to 6.0.1630.0. The vulnerability is triggered when the parser encounters circular NextOffset chains within a ROMFS archive, causing the parsing loop to never reach an exit condition, resulting in an infinite loop. This infinite loop leads to resource exhaustion, effectively causing a denial of service (DoS) condition on the host system. The CVSS 4.0 base score is 5.1, reflecting a medium severity level, with attack vector local, low attack complexity, no privileges required beyond local user, and user interaction needed. The vulnerability does not impact confidentiality, integrity, or availability beyond the DoS effect. The issue was reserved on February 17, 2026, and publicly disclosed on February 19, 2026. The fix was introduced in NanaZip version 6.0.1630.0, which corrects the parser logic to detect and handle circular NextOffset chains properly, thereby preventing the infinite loop. There are no known exploits in the wild at this time, and no public proof-of-concept code has been reported.

The primary impact of CVE-2026-27114 is a denial of service condition caused by an infinite loop in the ROMFS archive parser of NanaZip. This can lead to application hang or crash, potentially affecting user productivity and system stability. Since NanaZip is a local file archiver, the attack requires the victim to open a maliciously crafted archive file, limiting remote exploitation. However, in environments where NanaZip is used extensively for processing archives, such as software development, digital forensics, or IT operations, this vulnerability could be leveraged to disrupt workflows or cause temporary system unavailability. The impact is mostly confined to the affected host and does not extend to network-wide compromise or data breaches. No data corruption or privilege escalation is associated with this vulnerability. Organizations relying on NanaZip for archive management should consider the risk of denial of service and the potential operational disruptions it may cause.

To mitigate CVE-2026-27114, organizations should upgrade NanaZip to version 6.0.1630.0 or later, where the infinite loop issue has been fixed. Until the upgrade is applied, users should avoid opening ROMFS archives from untrusted or unknown sources to reduce the risk of triggering the infinite loop. Implementing application whitelisting and restricting the use of NanaZip to trusted personnel can further reduce exposure. Monitoring system performance and application behavior for signs of hangs or excessive CPU usage during archive extraction can help detect attempted exploitation. Additionally, sandboxing NanaZip or running it with limited privileges can minimize the impact of any denial of service. Regularly reviewing and applying updates from the vendor is critical to maintaining security posture against such vulnerabilities.