CVE-2026-27014
Received Received - Intake
Stack Overflow and Infinite Loop in NanaZip ROMFS Parser

Publication date: 2026-02-19

Last updated on: 2026-02-20

Assigner: GitHub, Inc.

Description
NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop, and deeply nested directories cause unbounded recursion (stack overflow) in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-19
Last Modified
2026-02-20
Generated
2026-06-16
AI Q&A
2026-02-19
EPSS Evaluated
2026-06-14
NVD
CVE-2026-27014
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
m2team nanazip From 5.0.1252.0 (inc) to 6.0.1630.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in NanaZip, an open source file archive software. In versions starting from 5.0.1252.0 up to but not including 6.0.1630.0, the ROMFS archive parser can be exploited by specially crafted archives that contain circular NextOffset chains or deeply nested directories.

The circular NextOffset chains cause the parser to enter an infinite loop, while deeply nested directories cause unbounded recursion, leading to a stack overflow. Both conditions can disrupt normal operation of the software.

This issue was fixed in version 6.0.1630.0.

Impact Analysis

Exploitation of this vulnerability can cause NanaZip to become unresponsive or crash due to infinite loops or stack overflows when processing maliciously crafted archives.

This can lead to denial of service conditions, potentially interrupting workflows that rely on NanaZip for archive extraction or management.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update NanaZip to version 6.0.1630.0 or later, as this version patches the issue with circular NextOffset chains and deeply nested directories causing infinite loops and stack overflows.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27014. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart