CVE-2026-27710 is an integer underflow vulnerability classified under CWE-191 found in the NanaZip file archiver software, specifically in its .NET Single File Application parser. The vulnerability affects NanaZip versions starting from 5.0.1252.0 up to versions prior to 6.0.1638.0 and 6.5.1638.0. The root cause is an integer underflow during the calculation of the header size when processing a specially crafted archive bundle. This underflow causes the software to miscalculate the size, leading to an attempt to allocate an unbounded amount of memory. Such an allocation can exhaust system resources, resulting in a denial-of-service (DoS) condition by crashing the application or severely degrading system performance. The CVSS 4.0 base score is 5.1, indicating medium severity, with attack vector local (AV:L), low attack complexity (AC:L), no privileges required (PR:L), and user interaction required (UI:P). The vulnerability does not impact confidentiality, integrity, or availability beyond the DoS effect. The flaw was publicly disclosed on February 25, 2026, and fixed in NanaZip versions 6.0.1638.0 and 6.5.1638.0. No known exploits have been reported in the wild, but the vulnerability could be leveraged by attackers to disrupt systems where vulnerable versions are in use. The issue highlights the importance of robust input validation and safe integer arithmetic in archive parsing code.

The primary impact of CVE-2026-27710 is denial-of-service, where an attacker can cause NanaZip to crash or consume excessive memory by opening a maliciously crafted archive. This can disrupt workflows that rely on NanaZip for file compression and decompression, potentially halting automated processes or user activities involving archive files. While the vulnerability does not allow code execution or data compromise, the DoS can affect availability of services or systems that depend on NanaZip, especially in environments where it is integrated into automated pipelines or used by multiple users. Organizations with many users or automated systems processing archives may experience operational disruptions. Since exploitation requires local access and user interaction, remote exploitation is unlikely without additional attack vectors. However, insider threats or social engineering could facilitate exploitation. The absence of known exploits reduces immediate risk, but unpatched systems remain vulnerable to targeted DoS attacks.

To mitigate CVE-2026-27710, organizations should upgrade NanaZip to versions 6.0.1638.0 or later, where the vulnerability is fixed. Until upgrades can be applied, restrict access to vulnerable NanaZip versions to trusted users only and avoid opening untrusted or suspicious archive files. Implement application whitelisting and endpoint protection to detect and block attempts to open malicious archives. Monitor system resource usage for unusual spikes that may indicate exploitation attempts. Consider sandboxing or isolating archive extraction processes to limit impact of potential crashes. Educate users about the risks of opening archives from unverified sources to reduce the likelihood of user interaction-based exploitation. Regularly review and update software inventories to identify vulnerable NanaZip installations. Finally, coordinate with software vendors and security teams to stay informed about patches and advisories related to NanaZip.