PatchSiren cyber security CVE debrief
CVE-2026-47222 M2Team CVE debrief
CVE-2026-47222 is a medium-severity vulnerability in NanaZip, a 7-Zip derivative for modern Windows experiences. The issue allows for a heap out-of-bounds read, potentially leading to a denial of service (crash) when opening a crafted .avb or .img file.
- Vendor
- M2Team
- Product
- NanaZip
- CVSS
- MEDIUM 5.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-12
- Original CVE updated
- 2026-06-12
- Advisory published
- 2026-06-12
- Advisory updated
- 2026-06-12
Who should care
Users of NanaZip versions from 3.0.1000.0 to before 6.0.1698.0 should update to the patched version 6.0.1698.0 or later.
Technical summary
The vulnerability exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). An unsigned integer underflow in a bounds check allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer.
Defensive priority
Medium
Recommended defensive actions
- Update NanaZip to version 6.0.1698.0 or later.
- Avoid opening untrusted .avb or .img files.
Evidence notes
The CVE-2026-47222 vulnerability has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0 of NanaZip.
Official resources
-
CVE-2026-47222 CVE record
CVE.org
-
CVE-2026-47222 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47222 was published on 2026-06-12T17:16:24.087Z and modified on 2026-06-12T18:16:34.533Z.