CVE Catalog

CVE-2026-47224

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.19%

8th percentile — higher than 8% of all known CVEs

Summary

NanaZip, a derivative of 7-Zip, has a heap buffer-overflow read vulnerability in the LVM2 physical-volume metadata parser. This issue exists in versions from 3.0.1000.0 to before 6.0.1698.0 when opening a crafted LVM disk image.

Risk Assessment

Exploitation of this vulnerability may lead to unauthorized memory access, potentially resulting in data leakage or remote code execution. Organizations should be aware of the risks associated with opening unknown LVM disk images.

Recommendation

It is recommended to update NanaZip to version 6.0.1698.0 or later to mitigate this vulnerability. Additionally, avoid opening unknown or suspicious LVM disk images.

Original NVD description (English source)

NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler). The vulnerability is triggered when opening a crafted LVM disk image. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS