CVE-2026-27014 in NanaZip
Summary
by MITRE • 02/19/2026
NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop, and deeply nested directories cause unbounded recursion (stack overflow) in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 02/22/2026
The vulnerability identified as CVE-2026-27014 affects NanaZip, an open source file archiving tool that supports various archive formats including ROMFS. This security flaw exists in versions starting from 5.0.1252.0 through 5.9.1629.0, creating a critical risk scenario where the ROMFS archive parser fails to properly handle malformed archive structures. The vulnerability stems from inadequate input validation and error handling within the parsing logic, specifically when processing archive files that contain circular references or excessively nested directory structures.
The technical implementation of this vulnerability manifests through two distinct but related attack vectors. The first vector involves circular NextOffset chains that create infinite loops within the parsing process, causing the application to consume excessive CPU resources and potentially leading to denial of service conditions. The second vector involves deeply nested directory structures that trigger unbounded recursion, resulting in stack overflow conditions that can crash the application or potentially enable arbitrary code execution depending on the system configuration. Both issues arise from the parser's inability to detect and terminate malformed recursive structures during archive processing.
From an operational perspective, this vulnerability presents significant risks to organizations relying on NanaZip for archive management and file operations. The infinite loop condition can cause systems to become unresponsive, particularly when processing untrusted archive files from external sources or user uploads. The stack overflow component increases the attack surface by potentially allowing remote code execution if attackers can craft malicious archive files that trigger the recursion. This vulnerability affects both desktop and server environments where NanaZip is deployed, making it a critical concern for enterprise security teams managing file archive operations.
The mitigation strategy involves upgrading to version 6.0.1630.0 or later, which includes patches addressing both the circular reference handling and recursive depth limitation issues. Security teams should also implement proper archive validation procedures, including file type detection and size limitations before processing potentially untrusted archives. Network segmentation and application whitelisting can help reduce the impact if exploitation occurs, while regular security updates and vulnerability assessments should be conducted to identify similar issues in other archive processing applications. This vulnerability aligns with CWE-835 (Loop with Unreachable Exit Condition) and CWE-674 (Uncontrolled Recursion) classifications, and represents a typical example of insufficient input validation in archive parsing libraries that could be exploited through the ATT&CK technique of Execution through API.