CVE-2026-47222 Overview
CVE-2026-47222 is a heap out-of-bounds read vulnerability in NanaZip, a 7-Zip derivative for Windows. The flaw resides in the Android Verified Boot (AVB) vbmeta image parser inherited from the upstream 7-Zip AvbHandler. An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to bypass validation. The AddNameToString routine then reads up to approximately 4 GiB past the end of a 64 KiB heap buffer. Opening a crafted .avb or .img file triggers a deterministic crash, producing a denial-of-service condition. Affected versions span 3.0.1000.0 through releases prior to 6.0.1698.0.
Critical Impact
Crafted .avb or .img files cause deterministic crashes in NanaZip when opened, enabling reliable denial-of-service against user workstations.
Affected Products
- NanaZip versions 3.0.1000.0 through 6.0.1697.x (stable)
- NanaZip preview versions prior to 6.5.1742.0
- Windows systems with NanaZip handling AVB vbmeta images
Discovery Timeline
- 2026-06-12 - CVE-2026-47222 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-47222
Vulnerability Analysis
The vulnerability lives in the AVB vbmeta image parser shared between NanaZip and upstream 7-Zip via AvbHandler. AVB vbmeta images contain descriptor records with length and offset fields the parser uses to extract embedded names and values. The parser validates these fields against the bounds of a fixed 64 KiB heap buffer before passing them to AddNameToString. The validation arithmetic operates on unsigned integers without underflow protection, which lets a malformed descriptor evade the bounds check entirely [CWE-125].
Root Cause
The defect is an unsigned integer underflow in the bounds check that gates AddNameToString. When value_num_bytes exceeds the remaining buffer size, the subtraction wraps to a large positive value rather than failing. The wrapped value satisfies the comparison and the parser proceeds as if the descriptor fits. AddNameToString then reads from the heap buffer using the attacker-supplied length, walking up to 4 GiB past the allocation. The read terminates when it strikes unmapped memory, killing the process.
Attack Vector
Exploitation requires user interaction. An attacker delivers a crafted .avb or .img file by email, web download, or shared storage. When the victim opens the file in NanaZip, the parser dereferences the malformed descriptor and the process crashes. The vulnerability does not yield code execution or information disclosure beyond the local process. Impact is limited to availability of the NanaZip application and any in-progress archive operation.
No verified exploit code is publicly available. Technical specifics are documented in the NanaZip GitHub Security Advisory GHSA-mqqj-crf3-6q37.
Detection Methods for CVE-2026-47222
Indicators of Compromise
- Unexpected crashes of NanaZip.exe immediately after opening .avb or .img files
- Windows Error Reporting (WER) entries citing access violations in the NanaZip process during archive parsing
- Presence of unsolicited .avb or .img attachments in user mailboxes or download folders
Detection Strategies
- Monitor application crash telemetry for NanaZip.exe faults correlated with recent file-open events on .avb or .img extensions
- Inspect endpoint logs for NanaZip process termination with exception code 0xC0000005 shortly after archive handler invocation
- Scan file shares and mail gateways for .avb or .img payloads delivered outside of legitimate Android development workflows
Monitoring Recommendations
- Track NanaZip version inventory across managed endpoints and flag installations below 6.0.1698.0
- Alert on repeated NanaZip.exe crashes from the same user or host, which may indicate active targeting
- Forward Windows Application event logs and WER reports to centralized logging for correlation with file delivery events
How to Mitigate CVE-2026-47222
Immediate Actions Required
- Upgrade NanaZip to stable version 6.0.1698.0 or preview version 6.5.1742.0 on all Windows endpoints
- Block inbound .avb and .img attachments at email and web gateways for users without an Android development use case
- Communicate to users that untrusted AVB or Android image files should not be opened in archive tools
Patch Information
The maintainers fixed the underflow in stable release 6.0.1698.0 and preview release 6.5.1742.0. The fix corrects the bounds check to reject descriptors where value_num_bytes exceeds the remaining buffer. Patch details are published in the NanaZip GitHub Security Advisory GHSA-mqqj-crf3-6q37. Organizations relying on upstream 7-Zip AvbHandler code should track equivalent fixes in their distribution.
Workarounds
- Avoid opening .avb or .img files from untrusted sources until the patched version is deployed
- Remove file association for .avb and .img extensions with NanaZip on systems that cannot be updated immediately
- Restrict NanaZip execution to users with a documented need for Android image inspection via application allowlisting
# Verify installed NanaZip version on Windows endpoints
Get-AppxPackage -Name "*NanaZip*" | Select-Object Name, Version
# Remove .avb and .img file associations (run as Administrator)
cmd /c "assoc .avb="
cmd /c "assoc .img="
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
