Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42446

CVE-2026-42446: M2team NanaZip Buffer Overflow Vulnerability

CVE-2026-42446 is a stack-based buffer overflow in M2team NanaZip's ZealFS parser that allows attackers to trigger out-of-bounds reads. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-42446 Overview

CVE-2026-42446 is a stack-based out-of-bounds read vulnerability in NanaZip, an open source file archiver for Windows. The flaw resides in the ZealFS filesystem image parser and affects versions from 5.0.1252.0 up to but not including 6.0.1698.0. An attacker triggers the issue by convincing a user to open a crafted ZealFS v1 filesystem image. The parser reads an attacker-controlled BitmapSize field from the file header and uses it to drive an unbounded loop that reads past the end of a stack-allocated ZEALFS_V1_HEADER structure. The vulnerability is tracked as [CWE-125] Out-of-Bounds Read and is fixed in NanaZip 6.0.1698.0.

Critical Impact

Opening a malicious ZealFS image in a vulnerable NanaZip build can leak adjacent stack memory and crash the application, enabling information disclosure and denial of service.

Affected Products

  • NanaZip versions 5.0.1252.0 through versions prior to 6.0.1698.0
  • M2Team NanaZip on Windows platforms
  • Any workflow that auto-previews or extracts ZealFS v1 filesystem images via NanaZip

Discovery Timeline

  • 2026-05-12 - CVE-2026-42446 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-42446

Vulnerability Analysis

The vulnerability sits in the ZealFS filesystem image parser shipped with NanaZip. ZealFS is a simple filesystem format that NanaZip can mount and browse as an archive. When NanaZip opens a ZealFS v1 image, it allocates a ZEALFS_V1_HEADER structure on the stack and populates fields directly from the file. One of those fields, BitmapSize, controls how many bitmap entries the parser walks while initializing the volume.

The parser does not validate BitmapSize against the actual size of the stack-allocated header. An attacker who sets a large BitmapSize value forces the loop to continue reading bytes well past the structure boundary. The result is a stack-based out-of-bounds read that can disclose adjacent stack contents, including return addresses, saved registers, and local variables, or cause an access violation that terminates the process.

Root Cause

The root cause is missing bounds validation on a length field derived from untrusted input. The parser treats BitmapSize as authoritative and uses it to terminate an iteration over the header bitmap region. Because the header lives on the stack rather than in a dynamically sized buffer that matches the declared size, every iteration beyond the structure boundary reads uninitialized or unrelated stack memory.

Attack Vector

Exploitation requires local user interaction. An attacker crafts a malicious ZealFS v1 image, delivers it through email, a download, or a shared folder, and waits for the victim to open it in NanaZip. No elevated privileges are needed. The confidentiality impact is high because leaked stack memory may contain sensitive data, and the availability impact is high because malformed inputs reliably crash the parser. Integrity is not affected, since the bug is a read primitive rather than a write primitive.

No public proof-of-concept or in-the-wild exploitation has been reported. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

Detection Methods for CVE-2026-42446

Indicators of Compromise

  • Unexpected NanaZip process crashes when opening .zealfs or similarly named archive files
  • ZealFS images sourced from untrusted email attachments, download portals, or removable media
  • Windows Error Reporting entries citing access violations inside the NanaZip ZealFS parser module

Detection Strategies

  • Inventory endpoints for NanaZip installations and flag any version between 5.0.1252.0 and earlier than 6.0.1698.0
  • Hunt for ZealFS v1 image files traversing email gateways, web proxies, and file shares
  • Correlate NanaZip crash events with recent file open activity in user telemetry to identify potential exploitation attempts

Monitoring Recommendations

  • Monitor process creation and crash telemetry for NanaZip.exe and associated handler binaries
  • Alert on archive parser child process anomalies that follow opening of unusual filesystem image formats
  • Track software inventory drift to ensure NanaZip updates to 6.0.1698.0 or later propagate across the fleet

How to Mitigate CVE-2026-42446

Immediate Actions Required

  • Upgrade all NanaZip installations to version 6.0.1698.0 or later
  • Block delivery of ZealFS v1 images at email and web gateways until patching is complete
  • Advise users to avoid opening ZealFS images received from untrusted sources

Patch Information

The issue is fixed in NanaZip 6.0.1698.0. Refer to the GitHub Security Advisory GHSA-4c79-hfr4-mqv9 for the official remediation guidance from M2Team.

Workarounds

  • Uninstall NanaZip on systems that cannot be upgraded immediately and fall back to a different archive tool
  • Remove file associations between NanaZip and ZealFS image extensions to prevent automatic handling
  • Restrict execution of NanaZip to a controlled application allowlist while patches are deployed
bash
# Check installed NanaZip version on Windows via PowerShell
Get-AppxPackage -Name "*NanaZip*" | Select-Object Name, Version

# Upgrade via winget once the fixed release is available
winget upgrade --id M2Team.NanaZip --version 6.0.1698.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne