CVE-2026-47223
MediumCVSS 5.4Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
In NanaZip, from version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser. A 32-bit unsigned integer overflow in the bounds check allows an attacker-controlled salt_len field to bypass validation.
Risk Assessment
This vulnerability could lead to serious security issues, allowing attackers to gain unauthorized access to memory, potentially resulting in data leaks or malicious code execution.
Recommendation
It is recommended to update to stable version 6.0.1698.0 or preview version 6.5.1742.0 to mitigate this vulnerability.
Original NVD description (English source)
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.

