Medium severity4.3NVD Advisory· Published Jun 12, 2026

CVE-2026-47224

Description

A heap buffer-overflow read in NanaZip's LVM2 metadata parser allows out-of-bounds memory access when opening a crafted disk image.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A heap buffer-overflow read in NanaZip's LVM2 metadata parser allows out-of-bounds memory access when opening a crafted disk image.

Vulnerability

A heap buffer-overflow read exists in the LVM2 physical-volume metadata parser in NanaZip (via the upstream 7-Zip LvmHandler) from version 3.0.1000.0 to before version 6.0.1698.0 [1]. The vulnerability is triggered when opening a crafted LVM disk image. In CHandler::Open2 in LvmHandler.cpp, when the metadata area size field is between 1 and 511 bytes, the handler allocates a buffer of that size but unconditionally reads 508 bytes from it for a CRC-32 check, reading up to 507 bytes past the end of the allocation. Additionally, Get32(meta) reads 4 bytes from the start of the buffer, which overflows when the allocated size is less than 4 bytes [1].

Exploitation

An attacker can craft a malicious LVM disk image with a metadata area size field set to a value between 1 and 511 bytes. The attacker must then convince a user to open this image with NanaZip. No authentication or special network position is required; only user interaction is needed. Upon opening the image, NanaZip's parser allocates a buffer of the specified size and then performs a CRC-32 check that reads a fixed 508 bytes, causing an out-of-bounds heap read [1].

Impact

Successful exploitation results in an out-of-bounds heap memory read, potentially disclosing sensitive data from adjacent heap memory. The impact is limited to information disclosure; no code execution is described in the available references [1].

Mitigation

The vulnerability has been patched in NanaZip stable version 6.0.1698.0 and preview version 6.5.1742.0 [1]. Users should update to these or later versions. If updating is not possible, avoid opening untrusted LVM disk images. For projects that forked 7-Zip to enable this handler, synchronizing with 7-Zip 26.01 is recommended [1].

References

Heap buffer-overflow read in NanaZip LVM metadata CRC check (GHSL-2026-129)

AI Insight generated on Jun 12, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

M2team/Nanazipllm-fuzzy
Range: >=3.0.1000.0, <6.0.1698.0

Patches

No patches discovered yet.

Vulnerability mechanics

Root cause

"Missing minimum-size validation on the attacker-controlled metadata area size field allows a heap buffer-overflow read in the LVM2 physical-volume metadata parser."

Attack vector

An attacker crafts an LVM disk image with a metadata area size field between 1 and 511 bytes. When a victim opens the image in NanaZip, the handler allocates a buffer of that size but performs a CRC-32 check over a hardcoded 508-byte region, reading up to 511 bytes past the allocation boundary [ref_id=1]. The result is observable as a side channel (archive opens vs. fails to open), potentially leaking heap contents or causing a crash [CWE-125].

Affected code

The vulnerability resides in `CHandler::Open2` in `LvmHandler.cpp` (lines 754–761). The function allocates a buffer of `sizeT` bytes but then unconditionally reads 508 bytes from it for a CRC-32 check, causing an out-of-bounds read when `sizeT < 512`.

What the fix does

The advisory recommends enforcing a minimum metadata buffer size of `kSectorSize` (512) bytes before performing the CRC check, e.g. `if (sizeT < kSectorSize) return S_FALSE;` [ref_id=1]. This prevents the out-of-bounds read by rejecting any metadata area whose size is smaller than the fixed CRC read length. The patch is included in NanaZip stable version 6.0.1698.0 and preview version 6.5.1742.0.

Preconditions

inputThe victim must open a crafted LVM disk image in NanaZip.
inputThe attacker-controlled metadata disk_locn.size must be between 1 and 511 bytes.
inputThe PV label fields (magic, CRC, structural constants) must be valid to reach the vulnerable code path.

Reproduction

Enable full-page-heap verification for the executable, then run the PoC and check the exit code:

``` :: Enable Page Heap (requires Administrator) reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NanaZip.Universal.Console.exe" /v GlobalFlag /t REG_DWORD /d 0x02000000 /f reg add "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NanaZip.Universal.Console.exe" /v PageHeapFlags /t REG_DWORD /d 0x3 /f

:: Run the PoC and check exit code (0xC0000005 = ACCESS_VIOLATION = OOB confirmed) NanaZip.Universal.Console.exe l lvm_oob_read.lvm echo Exit code: %ERRORLEVEL%

:: Clean up reg delete "HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NanaZip.Universal.Console.exe" /f ```

The process crashes with 0xC0000005 (ACCESS_VIOLATION) when Page Heap is active, confirming the out-of-bounds read.

Generated on Jun 12, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/M2Team/NanaZip/security/advisories/GHSA-qcgf-c2vp-fwjrnvd

News mentions

No linked articles in our index yet.

cvss	0.280
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000