CVE-2026-47223
Received Received - Intake
Heap Out-of-Bounds Read in NanaZip AVB Parser

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-12
EPSS Evaluated
N/A
NVD
CVE-2026-47223
EUVD
EUVD-2026-36508
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
m2team nanazip From 3.0.1000.0 (inc) to 6.0.1698.0 (exc)
m2team nanazip 6.0.1698.0
m2team nanazip 6.5.1742.0
nanazip nanazip From 3.0.1000.0 (inc) to 6.0.1698.0 (exc)
nanazip nanazip 6.0.1698.0
nanazip nanazip 6.5.1742.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47223 is a heap out-of-bounds read vulnerability in NanaZip's Android Verified Boot (AVB) hashtree descriptor parser. It is caused by a 32-bit unsigned integer overflow in the bounds check involving the attacker-controlled salt_len field. This overflow allows the bounds check to be bypassed, leading to a memcpy operation that reads up to approximately 4 GiB past the end of a 64 KiB heap buffer.

The vulnerability occurs when parsing specially crafted .avb or .img files, and it can cause a deterministic crash (denial of service) or potentially limited information disclosure if the crash does not happen.

This issue affects NanaZip versions from 3.0.1000.0 up to but not including 6.0.1698.0, and it has been patched in version 6.0.1698.0 and later.

Impact Analysis

This vulnerability can impact you by causing a denial of service through a deterministic crash when opening specially crafted files with NanaZip.

Additionally, there is a potential for limited information disclosure if the crash does not occur, as the out-of-bounds read may expose memory contents.

Detection Guidance

This vulnerability is triggered when NanaZip opens crafted .avb or .img files that exploit the heap out-of-bounds read in the AVB hashtree descriptor parser. Detection involves monitoring for crashes or abnormal behavior in NanaZip when handling such files.

Since the issue occurs during file opening via NanaZip's AVB handler, one way to detect it is to identify usage of vulnerable NanaZip versions (from 3.0.1000.0 up to before 6.0.1698.0) and monitor for application crashes or denial of service events related to file parsing.

Specific commands to detect the vulnerability are not provided in the available resources.

Mitigation Strategies

The immediate mitigation step is to update NanaZip to a patched version where this vulnerability is fixed. The issue has been resolved in stable version 6.0.1698.0 and preview version 6.5.1742.0.

Avoid opening untrusted or suspicious .avb or .img files with vulnerable versions of NanaZip to prevent triggering the heap out-of-bounds read.

Compliance Impact

The vulnerability in NanaZip can lead to limited information disclosure and denial of service due to a heap out-of-bounds read caused by an integer overflow. Such information disclosure risks may impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access or leaks.

However, the provided information does not explicitly detail the nature or sensitivity of the data that could be exposed, nor does it specify direct compliance implications with these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47223. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart