CVE-2026-47224
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
NanaZip, a derivative of 7-Zip, has a heap buffer-overflow read vulnerability in the LVM2 physical-volume metadata parser. This issue exists in versions from 3.0.1000.0 to before 6.0.1698.0 when opening a crafted LVM disk image.
Risk Assessment
Exploitation of this vulnerability may lead to unauthorized memory access, potentially resulting in data leakage or remote code execution. Organizations should be aware of the risks associated with opening unknown LVM disk images.
Recommendation
It is recommended to update NanaZip to version 6.0.1698.0 or later to mitigate this vulnerability. Additionally, avoid opening unknown or suspicious LVM disk images.
Original NVD description (English source)
NanaZip is the 7-Zip derivative intended for the modern Windows experience. From version 3.0.1000.0 to before version 6.0.1698.0, a heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler). The vulnerability is triggered when opening a crafted LVM disk image. This issue has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.

