PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-55781 M2Team CVE debrief

CVE-2026-55781 is a low-severity vulnerability in NanaZip's UFS and FFS image handler. Prior to version 6.5.1749.0, the handler validates the superblock block size only against the MINBSIZE lower bound and does not validate the fs_fsize fragment size. This allows attacker-controlled 32-bit fields to flow into indirect-block, directory, and extraction buffer allocations. A tiny crafted UFS image can force multi-gigabyte allocations during open or extraction, causing memory exhaustion or process termination. The vulnerability has a low severity and a CVSS score of 2.4.

Vendor
M2Team
Product
NanaZip
CVSS
LOW 2.4
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-10
Original CVE updated
2026-07-10
Advisory published
2026-07-10
Advisory updated
2026-07-10

Who should care

Users of NanaZip versions prior to 6.5.1749.0 should update to the latest version to prevent potential memory exhaustion attacks. Operators of affected systems should review the official advisory to validate affected scope and severity. Vulnerability management and security teams should prioritize updating NanaZip to version 6.5.1749.0 or later. Platform owners should verify that NanaZip is updated to version 6.5.1749.0 or later.

Technical summary

The vulnerability exists in NanaZip's UFS and FFS image handler, specifically in the NanaZip.Codecs.Archive.Ufs.cpp file. The handler fails to validate the fs_fsize fragment size, allowing attacker-controlled 32-bit fields to influence memory allocations. This can lead to memory exhaustion or process termination when a crafted UFS image is opened or extracted. The vulnerability has a low severity and a CVSS score of 2.4. The affected product is NanaZip, and the vulnerability is fixed in version 6.5.1749.0.

Defensive priority

Low

Recommended defensive actions

  • Update NanaZip to version 6.5.1749.0 or later
  • Restrict access to untrusted UFS images
  • Monitor system resources for signs of memory exhaustion
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-10T17:16:59.883Z and has not been modified since then. The NVD entry is currently Deferred. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the official advisory. The NanaZip version prior to 6.5.1749.0 is vulnerable, and users should update to the latest version to prevent potential memory exhaustion attacks. The vulnerability exists in the UFS and FFS image handler, specifically in the NanaZip.Codecs.Archive.Ufs.cpp file.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-10T17:16:59.883Z and has not been modified since then.