CVE-2026-47222: CWE-125: Out-of-bounds Read in M2Team NanaZip
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
AI Analysis
Technical Summary
CVE-2026-47222 is a heap out-of-bounds read vulnerability in NanaZip's AVB vbmeta image parser, inherited from the upstream 7-Zip AvbHandler. The vulnerability arises from an unsigned integer underflow in a bounds check, which permits an attacker-controlled value_num_bytes field to bypass validation. This leads to the AddNameToString function reading up to approximately 4 GiB beyond a 64 KiB heap buffer, causing a deterministic crash when opening a maliciously crafted .avb or .img file. The flaw affects NanaZip versions >=3.0.1000.0 and <6.0.1698.0 and has been fixed in version 6.0.1698.0 and the preview 6.5.1742.0.
Potential Impact
Successful exploitation results in a denial of service via a deterministic crash of the NanaZip application when processing crafted AVB vbmeta images. There is no indication of confidentiality or integrity impact. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, low confidentiality impact, no integrity impact, and low availability impact.
Mitigation Recommendations
A fix is available in NanaZip stable version 6.0.1698.0 and preview version 6.5.1742.0. Users should upgrade to these or later versions to remediate this vulnerability. No other mitigations are specified or required.
CVE-2026-47222: CWE-125: Out-of-bounds Read in M2Team NanaZip
Description
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
CVSS v3.1
Score 5.4medium
Affected software
pkg:github/m2team/NanaZipRun on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-47222 is a heap out-of-bounds read vulnerability in NanaZip's AVB vbmeta image parser, inherited from the upstream 7-Zip AvbHandler. The vulnerability arises from an unsigned integer underflow in a bounds check, which permits an attacker-controlled value_num_bytes field to bypass validation. This leads to the AddNameToString function reading up to approximately 4 GiB beyond a 64 KiB heap buffer, causing a deterministic crash when opening a maliciously crafted .avb or .img file. The flaw affects NanaZip versions >=3.0.1000.0 and <6.0.1698.0 and has been fixed in version 6.0.1698.0 and the preview 6.5.1742.0.
Potential Impact
Successful exploitation results in a denial of service via a deterministic crash of the NanaZip application when processing crafted AVB vbmeta images. There is no indication of confidentiality or integrity impact. The CVSS 3.1 base score is 5.4 (medium severity), reflecting network attack vector, low attack complexity, no privileges required, user interaction required, unchanged scope, low confidentiality impact, no integrity impact, and low availability impact.
Mitigation Recommendations
A fix is available in NanaZip stable version 6.0.1698.0 and preview version 6.5.1742.0. Users should upgrade to these or later versions to remediate this vulnerability. No other mitigations are specified or required.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-05-18T22:25:21.258Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a2c3d54e617e2d83492a81e
Added to database: 6/12/2026, 5:09:40 PM
Last enriched: 6/12/2026, 5:24:34 PM
Last updated: 6/12/2026, 6:12:49 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.