CVE-2026-47222
Received Received - Intake
Heap Out-of-Bounds Read in NanaZip AVB Parser

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer. This causes a deterministic crash (denial of service) when opening a crafted .avb or .img file. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-12
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47222
EUVD
EUVD-2026-36506
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
m2team nanazip to 6.0.1698.0 (exc)
m2team nanazip 6.0.1698.0
m2team nanazip 6.5.1742.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-191 The product subtracts one value from another, such that the result is less than the minimum allowable integer value, which produces a value that is not equal to the correct result.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47222 is a heap out-of-bounds read vulnerability in NanaZip's Android Verified Boot (AVB) vbmeta image parser. It is caused by an unsigned integer underflow that allows an attacker-controlled value_num_bytes field to bypass bounds checks. This leads the function AddNameToString to read up to approximately 4 GiB beyond a 64 KiB heap buffer.

The vulnerability can be triggered by opening a specially crafted .avb or .img file, causing a deterministic crash (denial of service). This flaw exists because NanaZip includes the AvbHandler component from 7-Zip, which is disabled in the original 7-Zip builds.

Impact Analysis

This vulnerability can cause a deterministic crash of NanaZip when opening a maliciously crafted .avb or .img file, resulting in a denial of service.

An attacker could exploit this to disrupt normal use of the software, potentially causing loss of availability or interruption of workflows that depend on NanaZip for file extraction.

Detection Guidance

This vulnerability is triggered when opening a crafted .avb or .img file with vulnerable versions of NanaZip. Detection involves identifying attempts to open such malicious files or monitoring for application crashes related to the AVB vbmeta image parser.

Since the issue causes a deterministic crash (denial of service) upon processing crafted files, monitoring NanaZip application logs or system crash reports for such crashes can help detect exploitation attempts.

No specific detection commands are provided in the available resources.

Mitigation Strategies

Immediate mitigation steps include applying the patch that fixes the bounds check logic in NanaZip, upgrading to stable version 6.0.1698.0 or later, or preview version 6.5.1742.0 or later where the vulnerability is fixed.

Alternatively, disabling the extractor component that parses AVB vbmeta images can prevent exploitation.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47222. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart