CVE-2026-47223

Vulnerability

NanaZip versions from 3.0.1000.0 to before 6.0.1698.0 (preview 6.5.1742.0) contain a heap out-of-bounds read in the Android Verified Boot (AVB) vbmeta image parser (via upstream 7-Zip AvbHandler). A 32-bit unsigned integer overflow in the bounds check pos + ht.salt_len > descSize allows an attacker-controlled salt_len field to bypass validation, causing CByteBuffer::CopyFrom to memcpy up to ~4 GiB past the end of a 64 KiB heap buffer [1].

Exploitation

An attacker can exploit this by crafting a malicious .avb or .img file with a specially crafted AVB hashtree descriptor. The attacker must provide the file to a user who opens it with a vulnerable NanaZip version. No authentication or network position is required; local file access is sufficient. The vulnerability triggers deterministically upon opening the file, as the bounds check fails due to integer overflow, leading to an out-of-bounds memory read [1].

Impact

Successful exploitation results in a deterministic crash (denial of service) due to heap out-of-bounds read. While the reference notes that the CByteBuffer::CopyFrom uses memcpy without NUL-stopping, the primary impact is denial of service; arbitrary code execution is not confirmed in the available sources [1].

Mitigation

The issue is patched in stable version 6.0.1698.0 and preview version 6.5.1742.0. Users should update to these versions or later. If forking 7-Zip to enable this handler, synchronize with 7-Zip 26.01 for the fix. No workaround is mentioned for unpatched versions [1].