CVE-2026-27709 is a medium severity vulnerability classified as CWE-125 (Out-of-bounds Read) found in NanaZip, an open-source file archiving tool developed by M2Team. The flaw exists in the .NET Single File Application parser component used by NanaZip versions starting from 5.0.1252.0 up to versions prior to 6.0.1638.0 and 6.5.1638.0. Specifically, the vulnerability occurs during manifest parsing when a maliciously crafted archive bundle supplies a malformed RelativePathLength value. This malformed value causes the parser to construct a std::string from memory beyond the allocated HeaderBuffer, resulting in an out-of-bounds read. The consequence of this memory access violation can lead to application crashes (denial of service) and potential disclosure of in-process memory contents, which may include sensitive data. Exploitation requires the attacker to have local access with low privileges and involves user interaction to open or process the crafted archive. The vulnerability does not require elevated privileges or network access, limiting its attack surface. No public exploits or active exploitation have been reported to date. NanaZip versions 6.0.1638.0 and 6.5.1638.0 include patches that correct the manifest parsing logic to prevent out-of-bounds reads. The CVSS v4.0 base score of 5.1 reflects the moderate risk posed by this vulnerability, balancing the potential impact against the conditions required for exploitation.

The primary impact of CVE-2026-27709 is the potential for application crashes leading to denial of service when processing maliciously crafted archive files. Additionally, the out-of-bounds read may allow attackers to disclose sensitive in-process memory data, which could include confidential information or cryptographic material depending on the application's runtime context. While the vulnerability requires local access and user interaction, it could be leveraged by attackers who can trick users into opening malicious archives, such as through phishing or social engineering. Organizations relying on NanaZip for file archiving and extraction may face operational disruptions and data confidentiality risks if vulnerable versions are used. The scope is limited to systems where NanaZip is installed and used, primarily affecting end-user workstations and possibly some servers. Since no known exploits are in the wild, the immediate threat is moderate, but the vulnerability could be weaponized in targeted attacks against organizations that use NanaZip extensively or handle sensitive data archives.

To mitigate CVE-2026-27709, organizations should immediately upgrade NanaZip to versions 6.0.1638.0 or 6.5.1638.0, where the vulnerability is patched. Until upgrades can be applied, restrict the use of NanaZip to trusted users and environments, and avoid opening untrusted or suspicious archive files. Implement endpoint security controls that detect and block attempts to open malformed archives. Educate users about the risks of opening archives from unknown or unverified sources to reduce the likelihood of social engineering exploitation. Additionally, consider application whitelisting to prevent execution of unauthorized versions of NanaZip. Monitoring for abnormal application crashes or memory access errors related to NanaZip can help detect exploitation attempts. Finally, maintain regular backups and incident response plans to recover from potential denial-of-service conditions.