CVE-2026-47222

Vulnerability

A heap out-of-bounds read exists in the Android Verified Boot (AVB) vbmeta image parser in NanaZip (via the upstream 7-Zip AvbHandler). The vulnerability affects versions from 3.0.1000.0 to before 6.0.1698.0. An unsigned integer underflow in a bounds check within the property descriptor parsing allows an attacker-controlled value_num_bytes field to pass validation, causing AddNameToString to read up to ~4 GiB past the end of a 64 KiB heap buffer [1].

Exploitation

An attacker must craft a malicious .avb or .img file containing a property descriptor with a specially crafted value_num_bytes field. The user must then open the file with NanaZip. No authentication or special network position is required; the attack relies on user interaction. The underflow occurs when pos equals descSize, causing descSize - pos - 1 to wrap to a large value, bypassing the bounds check and leading to the out-of-bounds read [1].

Impact

Successful exploitation results in a deterministic crash (denial of service) when the crafted file is opened. No code execution or information disclosure has been demonstrated; the impact is limited to application termination [1].

Mitigation

The issue has been patched in NanaZip stable version 6.0.1698.0 and preview version 6.5.1742.0. Users should update to these or later versions. The fix also corresponds to upstream 7-Zip 26.01. No workaround is available for unpatched versions [1].