CVE-2026-27014 Overview
NanaZip is an open source file archiver that contains a denial of service vulnerability in its ROMFS archive parser. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular NextOffset chains cause an infinite loop, and deeply nested directories cause unbounded recursion leading to a stack overflow. This vulnerability allows attackers to craft malicious ROMFS archives that, when processed by NanaZip, can cause the application to hang indefinitely or crash due to resource exhaustion.
Critical Impact
Processing a specially crafted ROMFS archive can trigger an infinite loop or stack overflow, causing NanaZip to become unresponsive or crash, resulting in denial of service.
Affected Products
- NanaZip versions 5.0.1252.0 through 6.0.1630.0 (exclusive)
- Systems using NanaZip for ROMFS archive extraction
Discovery Timeline
- 2026-02-19 - CVE CVE-2026-27014 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-27014
Vulnerability Analysis
This vulnerability is classified under CWE-674 (Uncontrolled Recursion), affecting the ROMFS archive parsing functionality in NanaZip. The vulnerability manifests through two distinct attack vectors within the ROMFS parser implementation.
The first attack vector involves circular NextOffset chains in ROMFS archive structures. When parsing the archive directory structure, the parser follows NextOffset pointers to traverse entries. A malicious archive can be crafted with circular references where the offset chain loops back to a previous entry, causing the parser to enter an infinite loop.
The second attack vector exploits the recursive nature of directory traversal. The ROMFS format supports nested directory structures, and the parser handles these through recursive function calls. When processing an archive with excessively deep directory nesting, the parser exhausts the available stack space, triggering a stack overflow and application crash.
Root Cause
The root cause of this vulnerability is insufficient input validation in the ROMFS archive parser. Specifically:
Missing cycle detection: The parser does not track visited offsets when following NextOffset chains, allowing circular references to create infinite loops.
Unbounded recursion depth: The recursive directory traversal implementation lacks depth limiting, allowing deeply nested structures to exhaust stack space through uncontrolled recursion.
These issues stem from trusting archive metadata without proper bounds checking or cycle detection mechanisms.
Attack Vector
The attack requires local access where a user must be tricked into opening a maliciously crafted ROMFS archive file with NanaZip. An attacker could distribute the malicious archive through various means such as email attachments, file sharing platforms, or compromised download sites.
The vulnerability mechanism involves crafting a ROMFS archive with either circular NextOffset pointers that create an endless loop when the parser attempts to enumerate directory entries, or creating an archive with hundreds or thousands of nested directories that exhaust the call stack during recursive traversal. See the GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-27014
Indicators of Compromise
- NanaZip process consuming 100% CPU for extended periods when opening archive files
- Application crashes with stack overflow exceptions during archive extraction
- System logs indicating NanaZip unresponsive or terminated abnormally
- ROMFS archive files with unusually small file sizes but claiming to contain deeply nested structures
Detection Strategies
- Monitor for NanaZip processes with abnormally high CPU utilization during file operations
- Implement endpoint detection rules for stack overflow exceptions in NanaZip processes
- Deploy file inspection capabilities to identify ROMFS archives with suspicious directory depth or circular offset patterns
- Enable application crash monitoring for NanaZip executable
Monitoring Recommendations
- Configure alerts for NanaZip application hangs or crashes in enterprise environments
- Monitor for repeated NanaZip process restarts which may indicate exploitation attempts
- Implement logging for archive file operations to identify potentially malicious files
How to Mitigate CVE-2026-27014
Immediate Actions Required
- Upgrade NanaZip to version 6.0.1630.0 or later immediately
- Avoid opening ROMFS archives from untrusted sources until patched
- Consider temporarily disabling ROMFS archive support if possible
- Implement endpoint protection to detect and block malicious archive files
Patch Information
The NanaZip development team has addressed this vulnerability in version 6.0.1630.0. The patch implements proper cycle detection for NextOffset chain traversal and adds recursion depth limits for directory parsing. Users should update to the latest version through the official NanaZip distribution channels. For more information, refer to the GitHub Security Advisory.
Workarounds
- Use alternative archive utilities for ROMFS file extraction until NanaZip is updated
- Implement network-level filtering to block ROMFS archive attachments from untrusted sources
- Configure application sandboxing to limit impact of potential denial of service
- Educate users to avoid opening archive files from untrusted sources
Organizations should prioritize upgrading to the patched version as the most effective mitigation strategy.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
