Vulnerability Details CVE-2026-27711
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to versions 6.0.1638.0 and 6.5.1638.0, a memory corruption vulnerability in NanaZip’s UFS parser allows a crafted `.ufs/.ufs2/.img` file to trigger out-of-bounds memory access during archive open/listing. The bug is reachable via normal user file-open flow and can cause process crash, hang, and potentially exploitable heap corruption. Versions 6.0.1638.0 and 6.5.1638.0 fix the issue.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.0
EPSS Ranking 3.2%
CVSS Severity
CVSS v3 Score 6.6
References
Products affected by CVE-2026-27711
-
cpe:2.3:a:m2team:nanazip:5.0.1252.0
-
cpe:2.3:a:m2team:nanazip:5.0.1263.0
-
cpe:2.3:a:m2team:nanazip:5.1.1252.0
-
cpe:2.3:a:m2team:nanazip:5.1.1263.0
-
cpe:2.3:a:m2team:nanazip:6.0.1461.0
-
cpe:2.3:a:m2team:nanazip:6.0.1621.0
-
cpe:2.3:a:m2team:nanazip:6.0.1630.0
-
cpe:2.3:a:m2team:nanazip:6.0.1632.0