CVE-2026-27014
Received Received - Intake

Stack Overflow and Infinite Loop in NanaZip ROMFS Parser

Vulnerability report for CVE-2026-27014, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-02-19

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop, and deeply nested directories cause unbounded recursion (stack overflow) in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-02-19
Last Modified
2026-02-20
Generated
2026-07-06
AI Q&A
2026-02-19
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
m2team nanazip From 5.0.1252.0 (inc) to 6.0.1630.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in NanaZip, an open source file archive software. In versions starting from 5.0.1252.0 up to but not including 6.0.1630.0, the ROMFS archive parser can be exploited by specially crafted archives that contain circular NextOffset chains or deeply nested directories.

The circular NextOffset chains cause the parser to enter an infinite loop, while deeply nested directories cause unbounded recursion, leading to a stack overflow. Both conditions can disrupt normal operation of the software.

This issue was fixed in version 6.0.1630.0.

Impact Analysis

Exploitation of this vulnerability can cause NanaZip to become unresponsive or crash due to infinite loops or stack overflows when processing maliciously crafted archives.

This can lead to denial of service conditions, potentially interrupting workflows that rely on NanaZip for archive extraction or management.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update NanaZip to version 6.0.1630.0 or later, as this version patches the issue with circular NextOffset chains and deeply nested directories causing infinite loops and stack overflows.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart