CVE-2026-44215: CWE-787: Out-of-bounds Write in M2Team NanaZip
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a one-byte heap out-of-bounds null write exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS filesystem image. The attacker controls the byte offset of the write within a ~254-byte window past the heap allocation boundary. This vulnerability is fixed in 6.0.1698.0.
AI Analysis
Technical Summary
NanaZip versions >= 5.0.1250.0 and < 6.0.1698.0 contain a heap-based out-of-bounds write vulnerability (CWE-787) in the UFS/UFS2 filesystem image parser. When a specially crafted UFS filesystem image is opened, the software performs a one-byte null write beyond the allocated heap buffer, with the offset controlled by the attacker within approximately 254 bytes past the boundary. This can lead to integrity and availability impacts. The issue is resolved in version 6.0.1698.0.
Potential Impact
The vulnerability does not impact confidentiality but can cause limited integrity and availability issues due to the out-of-bounds write. The CVSS 3.1 base score is 4.4 (medium), reflecting local attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in NanaZip version 6.0.1698.0. Users should upgrade to this version or later to remediate the issue. No other official remediation or temporary fixes are indicated. Patch status is confirmed by the vendor's versioning information.
CVE-2026-44215: CWE-787: Out-of-bounds Write in M2Team NanaZip
Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a one-byte heap out-of-bounds null write exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS filesystem image. The attacker controls the byte offset of the write within a ~254-byte window past the heap allocation boundary. This vulnerability is fixed in 6.0.1698.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
NanaZip versions >= 5.0.1250.0 and < 6.0.1698.0 contain a heap-based out-of-bounds write vulnerability (CWE-787) in the UFS/UFS2 filesystem image parser. When a specially crafted UFS filesystem image is opened, the software performs a one-byte null write beyond the allocated heap buffer, with the offset controlled by the attacker within approximately 254 bytes past the boundary. This can lead to integrity and availability impacts. The issue is resolved in version 6.0.1698.0.
Potential Impact
The vulnerability does not impact confidentiality but can cause limited integrity and availability issues due to the out-of-bounds write. The CVSS 3.1 base score is 4.4 (medium), reflecting local attack vector, low complexity, no privileges required, user interaction needed, unchanged scope, no confidentiality impact, low integrity impact, and low availability impact. There are no known exploits in the wild.
Mitigation Recommendations
This vulnerability is fixed in NanaZip version 6.0.1698.0. Users should upgrade to this version or later to remediate the issue. No other official remediation or temporary fixes are indicated. Patch status is confirmed by the vendor's versioning information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-05T15:13:47.572Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a03813fcbff5d861012f6e9
Added to database: 5/12/2026, 7:36:31 PM
Last enriched: 5/12/2026, 8:07:20 PM
Last updated: 5/13/2026, 4:51:48 AM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.