CVE-2026-27711 is an out-of-bounds read vulnerability classified under CWE-125 found in the UFS filesystem parser component of NanaZip, an open-source file archiving tool. The vulnerability exists in versions starting from 5.0.1252.0 up to but excluding 6.0.1638.0 and 6.5.1638.0. When a user opens or lists the contents of a specially crafted archive file with extensions .ufs, .ufs2, or .img, the parser performs an out-of-bounds memory read due to improper bounds checking. This memory corruption can lead to process instability such as crashes or hangs, and potentially heap corruption that might be exploited to execute arbitrary code or escalate privileges. The attack vector is local, requiring the user to open a malicious archive file, and the attacker needs low privileges with no authentication required. The vulnerability does not affect confidentiality or integrity directly but impacts availability and potentially integrity if exploited for code execution. The issue is fixed in NanaZip versions 6.0.1638.0 and 6.5.1638.0. No public exploits or active exploitation have been reported to date.

The primary impact of CVE-2026-27711 is on the availability and integrity of systems running vulnerable versions of NanaZip. Successful exploitation can cause application crashes or hangs, disrupting normal file archiving operations. More critically, the heap corruption potential could allow attackers to execute arbitrary code within the context of the user running NanaZip, leading to privilege escalation or further system compromise. Organizations relying on NanaZip for file extraction or archiving, especially in environments where users frequently handle untrusted archive files, face risks of denial of service and potential malware execution. Although the attack requires user interaction and local access, the widespread use of NanaZip on Windows platforms for archive management means many endpoints could be exposed. The absence of known exploits reduces immediate risk, but the vulnerability presents a moderate threat that could be leveraged in targeted attacks or malware campaigns.

To mitigate CVE-2026-27711, organizations should immediately upgrade NanaZip to versions 6.0.1638.0 or later, where the vulnerability is patched. Until upgrades can be deployed, users should be trained to avoid opening archive files from untrusted or unknown sources, especially those with .ufs, .ufs2, or .img extensions. Implement endpoint protection solutions with heuristic and behavioral detection to identify suspicious archive file handling or crashes. Employ application whitelisting and sandboxing techniques to limit the impact of potential exploitation. Regularly audit and monitor logs for abnormal application crashes or hangs related to NanaZip. Additionally, consider restricting the use of NanaZip to trusted users or systems and use alternative archive tools with no known vulnerabilities in sensitive environments. Maintain an up-to-date inventory of software versions to ensure timely patching of vulnerable components.