CVE-2026-47223 Overview
CVE-2026-47223 is a heap out-of-bounds read vulnerability in NanaZip, the 7-Zip derivative built for the modern Windows experience. The flaw resides in the Android Verified Boot (AVB) vbmeta image parser, inherited from the upstream 7-Zip AvbHandler. A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation. The defect causes CByteBuffer::CopyFrom to memcpy up to approximately 4 GiB past the end of a 64-byte buffer. The issue affects versions 3.0.1000.0 through versions prior to 6.0.1698.0 and is tracked under [CWE-125].
Critical Impact
A crafted AVB vbmeta image can trigger an out-of-bounds heap read, leaking adjacent process memory and potentially crashing NanaZip during archive inspection.
Affected Products
- NanaZip versions 3.0.1000.0 through versions before 6.0.1698.0 (stable)
- NanaZip preview versions before 6.5.1742.0
- Implementations using the upstream 7-Zip AvbHandler code path
Discovery Timeline
- 2026-06-12 - CVE-2026-47223 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2026-47223
Vulnerability Analysis
The vulnerability resides in the AVB vbmeta image parser used by NanaZip to inspect Android verified boot metadata. The parser reads a hash descriptor that contains a salt_len field directly controlled by attacker-supplied archive data. Before copying the salt bytes, the parser validates the offset using the expression pos + ht.salt_len > descSize.
Both operands are 32-bit unsigned integers. When salt_len is set to a sufficiently large value, the addition wraps around past UINT32_MAX. The wrapped result becomes smaller than descSize, so the bounds check incorrectly passes. The parser then invokes CByteBuffer::CopyFrom, which performs a memcpy using the unvalidated salt_len against a 64-byte destination buffer. The read can extend up to roughly 4 GiB beyond the allocated source region.
Exploitation does not yield code execution directly. It can disclose heap contents adjacent to the parsed structure or trigger a process crash when unmapped memory is accessed.
Root Cause
The root cause is an unchecked 32-bit integer overflow ([CWE-125]) in the AVB descriptor parser. The expression pos + ht.salt_len > descSize does not promote operands to a wider type or pre-validate salt_len against the remaining buffer size before performing the addition.
Attack Vector
An attacker delivers a malformed AVB vbmeta image to a target user, typically embedded in or presented as an archive. The user must open or inspect the file with a vulnerable NanaZip build to invoke the AvbHandler parser. Because parsing occurs during archive enumeration, minimal user interaction beyond opening the file is required.
No authenticated code paths or network listeners are exposed by NanaZip, so exploitation depends on social engineering or supply chain delivery of the crafted image.
Verified exploit code is not publicly available. See the NanaZip GitHub Security Advisory for technical details.
Detection Methods for CVE-2026-47223
Indicators of Compromise
- NanaZip process crashes or unexpected terminations when opening .img, .vbmeta, or generic archive files containing AVB structures
- Archives or disk images presenting AVB magic bytes AVB0 with abnormally large salt_len fields in hash descriptors
- File-open telemetry showing NanaZip handling untrusted AVB content sourced from email, web downloads, or removable media
Detection Strategies
- Inventory installed NanaZip versions across endpoints and flag any build between 3.0.1000.0 and 6.0.1698.0
- Parse AVB vbmeta structures in inbound files at email and web gateways; reject samples where salt_len exceeds the descriptor size
- Monitor for crash dumps referencing AvbHandler, CByteBuffer::CopyFrom, or NanaZip modules in Windows Error Reporting
Monitoring Recommendations
- Collect process creation, module load, and crash events from endpoints that have NanaZip installed
- Correlate file-open events involving vbmeta or .img artifacts with subsequent NanaZip faults
- Track software inventory changes to ensure upgraded versions remain deployed after remediation
How to Mitigate CVE-2026-47223
Immediate Actions Required
- Upgrade NanaZip to stable version 6.0.1698.0 or preview version 6.5.1742.0 or later
- Restrict opening of untrusted vbmeta, Android image, or unknown archive files until patches are applied
- Identify users who routinely handle Android firmware artifacts and prioritize their hosts for remediation
Patch Information
The issue is fixed in NanaZip stable release 6.0.1698.0 and preview release 6.5.1742.0. Patch details and release notes are published in the NanaZip GitHub Security Advisory GHSA-qhc5-mh6j-4g75.
Workarounds
- Avoid opening AVB vbmeta images or archives from untrusted sources with vulnerable NanaZip builds
- Use an alternative archive utility that does not invoke the affected AvbHandler parser for AVB inspection
- Apply application allow-listing or file association changes to prevent automatic handling of .img files by NanaZip until patched
# Verify installed NanaZip version on Windows endpoints
Get-AppxPackage -Name "*NanaZip*" | Select-Object Name, Version
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
