CVE-2026-27114 Overview
NanaZip, an open source file archiver, contains an infinite loop vulnerability in its ROMFS archive parser. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, maliciously crafted archive files with circular NextOffset chains can trigger the infinite loop condition, causing the application to become unresponsive and consume excessive CPU resources.
Critical Impact
A local attacker can craft a malicious ROMFS archive that, when processed by NanaZip, causes a denial of service condition through an infinite loop, rendering the application unresponsive.
Affected Products
- NanaZip versions 5.0.1252.0 through 6.0.1629.x
- Systems using NanaZip for ROMFS archive extraction
- Windows environments with NanaZip installed as the default archive handler
Discovery Timeline
- 2026-02-19 - CVE-2026-27114 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-27114
Vulnerability Analysis
This vulnerability is classified under CWE-835 (Loop with Unreachable Exit Condition), commonly known as an infinite loop vulnerability. The flaw exists in NanaZip's ROMFS archive parsing functionality, where the parser fails to properly validate NextOffset field values within the archive structure.
When processing a ROMFS archive, the parser iterates through directory entries using offset pointers. Each entry contains a NextOffset field pointing to the next directory entry. The vulnerability arises when these offset values form a circular chain—where an entry's NextOffset eventually points back to a previously processed entry, creating an endless loop.
The attack requires local access and user interaction, as the victim must open or preview the malicious archive file. Once triggered, the parsing routine continuously cycles through the same set of entries, consuming CPU resources and causing the application to hang indefinitely.
Root Cause
The root cause is insufficient validation of NextOffset values in the ROMFS archive parser. The code fails to implement proper cycle detection when traversing the linked list of directory entries. Without checks to ensure each offset is only visited once, or that offsets monotonically increase within the file structure, circular references go undetected and cause infinite iteration.
Attack Vector
The attack vector is local with user interaction required. An attacker must deliver a specially crafted ROMFS archive to the target system and convince the user to open it with NanaZip. This could be accomplished through:
- Email attachments containing the malicious archive
- Downloaded files from untrusted sources
- Archive files on removable media or network shares
- Exploiting file preview functionality in file managers that use NanaZip
The vulnerability manifests in the ROMFS parsing routine where circular NextOffset chains create an infinite loop. Technical details and a proof-of-concept archive are available in the GitHub Security Advisory.
Detection Methods for CVE-2026-27114
Indicators of Compromise
- NanaZip process (NanaZip.exe) consuming 100% CPU on a single core for extended periods
- Application becoming unresponsive when opening archive files
- Presence of .romfs or disguised archive files from untrusted sources
- Task Manager showing NanaZip in "Not Responding" state during archive operations
Detection Strategies
- Monitor for NanaZip processes with abnormally high CPU utilization exceeding normal archive extraction times
- Implement file integrity monitoring to detect suspicious archive files in user download directories
- Deploy endpoint detection rules that flag archive operations taking longer than expected thresholds
- Use SentinelOne's behavioral AI to detect application hang states associated with resource exhaustion attacks
Monitoring Recommendations
- Enable process monitoring to track CPU usage patterns for NanaZip and related archive utilities
- Configure alerts for process hang detection on systems where NanaZip is commonly used
- Monitor file system activity for new ROMFS archive files appearing in user-accessible locations
- Implement logging for archive extraction operations to identify potential attack attempts
How to Mitigate CVE-2026-27114
Immediate Actions Required
- Update NanaZip to version 6.0.1630.0 or later immediately
- Advise users to avoid opening archive files from untrusted or unknown sources
- Consider temporarily disabling ROMFS archive support if updates cannot be immediately applied
- Implement application whitelisting to prevent execution of potentially malicious archive handlers
Patch Information
The vulnerability has been patched in NanaZip version 6.0.1630.0. Users should update to this version or later to remediate the infinite loop vulnerability in the ROMFS parser. The patch implements proper validation of NextOffset chains to detect and prevent circular references.
For additional details, refer to the NanaZip Security Advisory on GitHub.
Workarounds
- Avoid opening ROMFS archives from untrusted sources until the patch is applied
- Use alternative archive utilities that are not affected by this vulnerability for ROMFS files
- Implement file type filtering at email gateways and web proxies to block suspicious archive formats
- Consider running NanaZip in a sandboxed environment to limit the impact of denial of service conditions
# Verify NanaZip version to ensure patch is applied
# Check installed version via Windows Settings or command line
winget list M2Team.NanaZip
# Update NanaZip to patched version
winget upgrade M2Team.NanaZip --version 6.0.1630.0
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
