{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-26282", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-02-12T17:10:53.414Z", "datePublished": "2026-02-19T20:41:49.223Z", "dateUpdated": "2026-02-20T20:02:32.672Z"}, "containers": {"cna": {"title": "NanaZip has DotNet Single file OOB Heap Read", "problemTypes": [{"descriptions": [{"cweId": "CWE-126", "lang": "en", "description": "CWE-126: Buffer Over-read", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "PASSIVE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.2, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-ccpc-2222-xv5c", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-ccpc-2222-xv5c"}, {"name": "https://github.com/user-attachments/files/25274143/poc.exe.zip", "tags": ["x_refsource_MISC"], "url": "https://github.com/user-attachments/files/25274143/poc.exe.zip"}], "affected": [{"vendor": "M2Team", "product": "NanaZip", "versions": [{"version": ">= 5.0.1252.0, < 6.0.1630.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T20:41:49.223Z"}, "descriptions": [{"lang": "en", "value": "NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue."}], "source": {"advisory": "GHSA-ccpc-2222-xv5c", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-20T20:02:04.332187Z", "id": "CVE-2026-26282", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:02:32.672Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-26282", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-20T20:02:04.332187Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-20T20:02:25.006Z"}}], "cna": {"title": "NanaZip has DotNet Single file OOB Heap Read", "source": {"advisory": "GHSA-ccpc-2222-xv5c", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.2, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N", "userInteraction": "PASSIVE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW"}}], "affected": [{"vendor": "M2Team", "product": "NanaZip", "versions": [{"status": "affected", "version": ">= 5.0.1252.0, < 6.0.1630.0"}]}], "references": [{"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-ccpc-2222-xv5c", "name": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-ccpc-2222-xv5c", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/user-attachments/files/25274143/poc.exe.zip", "name": "https://github.com/user-attachments/files/25274143/poc.exe.zip", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-126", "description": "CWE-126: Buffer Over-read"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-02-19T20:41:49.223Z"}}}, "cveMetadata": {"cveId": "CVE-2026-26282", "state": "PUBLISHED", "dateUpdated": "2026-02-20T20:02:32.672Z", "dateReserved": "2026-02-12T17:10:53.414Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-02-19T20:41:49.223Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*", "matchCriteriaId": "E60CB87F-33E9-4D29-A928-4AB8C9EA8743", "versionEndExcluding": "6.0.1630.0", "versionStartIncluding": "5.0.1252.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, NanaZip has an out-of-bounds heap read in `.NET Single File` bundle header parser due to missing bounds check. Opening a crafted file with NanaZip causes a crash or leaks heap data to the user. Version 6.0.1630.0 patches the issue."}], "id": "CVE-2026-26282", "lastModified": "2026-02-20T19:42:56.213", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "baseScore": 6.6, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 1.3, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.2, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "PASSIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-02-19T21:18:31.500", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Third Party Advisory"], "url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-ccpc-2222-xv5c"}, {"source": "security-advisories@github.com", "tags": ["Exploit"], "url": "https://github.com/user-attachments/files/25274143/poc.exe.zip"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-126"}], "source": "security-advisories@github.com", "type": "Primary"}, {"description": [{"lang": "en", "value": "CWE-125"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[5.0.1252.0,6.0.1630.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "NanaZip", "source": "cna", "vendor": "M2Team"}, "product": "nanazip", "vendor": "m2team"}], "analysis": {"en": {"generated_at": "2026-04-17T17:54:50.164436+00:00", "value": {"mitigation_remediation": ["Upgrade NanaZip to version 6.0.1630.0 or later, which contains the fix for the out\u2011of\u2011bounds read.", "If an immediate upgrade is not possible, isolate the use of NanaZip from untrusted or externally supplied archives by applying file\u2011level permissions or running the application within a sandbox environment to contain a crash or data leakage.", "Use a reputable antivirus or content\u2011analysis tool to scan archives before opening them with NanaZip, thereby reducing the chance that a malicious file triggers the heap read bug."], "summary": {"action": "Patch", "impact": "Out-of-Bounds Heap Read Leading to Data Exposure or Crash"}, "threat_synthesis": {"affected_systems": "The issue affects the M2Team NanaZip open\u2011source file archive application. Affected releases include all builds starting at version 5.0.1252.0 and up to, but not including, 6.0.1630.0. The patch is available in NanaZip 6.0.1630.0 and newer. Users of earlier versions are vulnerable.", "description_and_impact": "In NanaZip versions 5.0.1252.0 through 6.0.1629.999, the .NET Single File bundle header parser performs a missing bounds check, allowing an attacker to trigger an out-of-bounds heap read when a crafted archive is opened. The result is either a program crash or the leakage of sensitive heap data to the user, which may expose confidential information but does not directly allow code execution. The vulnerability is classified under CWE-125 and CWE-126 and carries a CVSS score of 5.2, indicating a moderate severity.", "risk_and_exploitability": "The CVSS score of 5.2 reflects a moderate impact, while the EPSS score of less than 1\u202f% indicates a very low likelihood of exploitation in the wild. NanaZip does not appear in the CISA KEV catalog. Because the flaw is triggered by opening a crafted archive file, the attack vector is inferred to be local or user\u2011initiated; no network\u2011based exploitation is described. An attacker who can supply a malicious file to a target user can cause a denial\u2011of\u2011service or information\u2011leak event, but cannot gain arbitrary code execution or remote foothold."}}}}, "created": "2026-02-20T09:54:00.690392+00:00", "updated": "2026-04-17T18:00:12.182761+00:00", "vendors": ["m2team", "m2team$PRODUCT$nanazip"]}