CVE-2026-27709 is a medium-severity vulnerability classified under CWE-125 (Out-of-bounds Read) affecting NanaZip, a popular open-source file archiving tool developed by M2Team. The vulnerability resides in the .NET Single File Application parser component responsible for processing manifest data within archive bundles. Specifically, when parsing the RelativePathLength field in the manifest, a crafted archive can specify a malformed length value that causes the parser to read memory beyond the allocated HeaderBuffer. This out-of-bounds read leads to undefined behavior, including application crashes and the potential disclosure of sensitive in-process memory contents. The flaw affects NanaZip versions starting from 5.0.1252.0 up to versions prior to 6.0.1638.0 and 6.5.1638.0, which contain the fix. Exploitation requires the victim to open a maliciously crafted archive file, implying user interaction is necessary. The vulnerability requires low privileges (local access) and does not require authentication. The CVSS 4.0 vector indicates low attack complexity and no user privileges but does require user interaction. No known public exploits have been reported to date. The issue was publicly disclosed on February 25, 2026, with patches available in the latest NanaZip releases. This vulnerability could be leveraged by attackers to cause denial of service or leak sensitive memory data from the application process, potentially aiding further exploitation or information gathering.

The primary impact of CVE-2026-27709 is the potential for denial of service through application crashes when processing malicious archives, which can disrupt normal operations for users relying on NanaZip for file extraction and archiving. Additionally, the out-of-bounds read may disclose sensitive memory contents from the process, potentially exposing confidential information or aiding attackers in crafting further attacks. While the vulnerability requires user interaction and local access, it poses a risk in environments where users frequently handle untrusted archive files, such as corporate networks, software development environments, and shared file repositories. The medium severity rating reflects moderate risk, but organizations with high-value data or strict availability requirements should prioritize remediation. Since NanaZip is open source and used globally, unpatched systems remain vulnerable to targeted attacks or accidental crashes caused by malformed archives.

To mitigate CVE-2026-27709, organizations should immediately upgrade NanaZip to versions 6.0.1638.0 or later, where the vulnerability is fixed. If upgrading is not immediately feasible, users should avoid opening archive files from untrusted or unknown sources to reduce exposure. Implementing endpoint security solutions that scan archives for malicious content before extraction can help detect crafted bundles exploiting this flaw. Additionally, applying application whitelisting and restricting user permissions to prevent unauthorized software installation or execution can limit exploitation opportunities. Monitoring application logs for crashes related to NanaZip may help identify attempted exploitation. Developers and security teams should also consider sandboxing archive extraction processes to contain potential memory disclosures or crashes. Regularly reviewing and updating software dependencies and educating users about risks associated with opening unverified archives will further reduce risk.