CVE-2026-55782 in NanaZip
Summary
by MITRE • 07/10/2026
NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's WebAssembly archive handler in NanaZip.Codecs.Archive.WebAssembly.cpp allocates buffers from attacker-controlled 32-bit section and custom-name length fields without validating them against the data present in the file. A tiny crafted module can force multi-gigabyte allocations during listing or extraction through NameSize, Information.Size, and std::string or vector allocation paths, causing memory exhaustion or process termination. This issue is fixed in version 6.5.1749.0.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 07/10/2026
The vulnerability in NanaZip represents a critical buffer overflow condition that stems from inadequate input validation within the WebAssembly archive handler component. This flaw exists in the NanaZip.Codecs.Archive.WebAssembly.cpp file where the application fails to properly validate section and custom-name length fields extracted from attacker-controlled archive files. The vulnerability specifically affects versions prior to 6.5.1749.0 and manifests through improper handling of 32-bit length fields that dictate buffer allocation sizes during archive processing operations.
The technical implementation of this vulnerability exploits the absence of bounds checking for critical size parameters within WebAssembly module parsing routines. When NanaZip encounters a crafted archive file containing maliciously inflated NameSize, Information.Size, or custom-name length values, it proceeds to allocate memory buffers based on these attacker-controlled dimensions without verifying whether the specified sizes are reasonable relative to the actual data contained within the archive. This allows an adversary to manipulate the allocation process through standard string or vector construction paths that internally use these validated parameters.
The operational impact of this vulnerability extends beyond simple memory exhaustion scenarios, potentially leading to complete process termination and system instability during archive listing or extraction operations. Attackers can construct malicious WebAssembly modules with deliberately inflated size fields that trigger multi-gigabyte memory allocations, effectively exhausting available system resources or causing the targeted NanaZip process to crash. This behavior aligns with CWE-129 Input Validation and Output Generation, specifically addressing improper validation of length fields in binary data parsing operations.
The exploitability of this vulnerability demonstrates characteristics consistent with privilege escalation vectors within the attack chain as defined by MITRE ATT&CK framework. The flaw enables an unauthenticated remote attacker to cause denial of service conditions through memory exhaustion attacks that could potentially be leveraged for more sophisticated exploitation techniques. The vulnerability's impact is particularly severe in environments where NanaZip processes untrusted archive files, such as email attachments or file sharing platforms.
Mitigation strategies should prioritize immediate deployment of the patched version 6.5.1749.0 which implements proper bounds checking for all size parameters extracted from archive files. Organizations should also implement additional defensive measures including network-based filtering of suspicious archive files, process isolation during archive processing operations, and regular security assessments of archive handling components. The fix addresses the core issue by validating all attacker-controlled length fields against actual data boundaries before initiating any memory allocation operations, thereby preventing the exploitation path that previously allowed for arbitrary large buffer allocations through crafted WebAssembly module structures.