CVE-2026-27114
Published: 19 February 2026
Summary
CVE-2026-27114 is a medium-severity Infinite Loop (CWE-835) vulnerability in M2Team Nanazip. Its CVSS base score is 5.1 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2026-27114 affects NanaZip, an open-source file archiving utility, specifically in versions starting from 5.0.1252.0 up to but not including 6.0.1630.0. The vulnerability stems from circular `NextOffset` chains in the ROMFS archive parser, triggering an infinite loop (CWE-835: Loop with Unreachable Exit Condition). This issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.
Attackers can exploit this remotely over a network with low complexity, requiring no privileges or user interaction beyond convincing a victim to open a malicious ROMFS archive file in an affected NanaZip version. Successful exploitation leads to a denial-of-service condition, as the infinite loop causes the application to hang or crash, consuming excessive CPU resources without impacting confidentiality or integrity.
The GitHub security advisory (GHSA-hfg9-6rf9-5pgx) from the M2Team/NanaZip repository details the issue, confirming that version 6.0.1630.0 includes a patch to resolve the infinite loop. A proof-of-concept exploit is available as a ZIP attachment, demonstrating the vulnerability for testing purposes. Security practitioners should prioritize updating to the patched version and scan for vulnerable installations.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-8315
Vulnerability details
NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in ROMFS parser enables DoS via crafted archive file opened by victim (T1204.002 Malicious File) resulting in application crash/hang through exploitation (T1499.004 Application or System Exploitation).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Flaw remediation directly addresses the infinite loop vulnerability in NanaZip's ROMFS parser by applying patches like version 6.0.1630.0.
Vulnerability monitoring and scanning identifies systems running vulnerable NanaZip versions affected by CVE-2026-27114.
Information input validation in the ROMFS archive parser detects and rejects circular NextOffset chains to prevent infinite loops.