Cyber Resilience

CVE-2026-27114

MediumPublic PoC

Published: 19 February 2026

Published
19 February 2026
Modified
26 February 2026
KEV Added
Patch
CVSS Score v4 5.1 CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0004 13.9th percentile
Risk Priority 10 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-27114 is a medium-severity Infinite Loop (CWE-835) vulnerability in M2Team Nanazip. Its CVSS base score is 5.1 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Malicious File (T1204.002); ranked at the 13.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2026-27114 affects NanaZip, an open-source file archiving utility, specifically in versions starting from 5.0.1252.0 up to but not including 6.0.1630.0. The vulnerability stems from circular `NextOffset` chains in the ROMFS archive parser, triggering an infinite loop (CWE-835: Loop with Unreachable Exit Condition). This issue has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H), indicating high severity primarily due to availability impact.

Attackers can exploit this remotely over a network with low complexity, requiring no privileges or user interaction beyond convincing a victim to open a malicious ROMFS archive file in an affected NanaZip version. Successful exploitation leads to a denial-of-service condition, as the infinite loop causes the application to hang or crash, consuming excessive CPU resources without impacting confidentiality or integrity.

The GitHub security advisory (GHSA-hfg9-6rf9-5pgx) from the M2Team/NanaZip repository details the issue, confirming that version 6.0.1630.0 includes a patch to resolve the infinite loop. A proof-of-concept exploit is available as a ZIP attachment, demonstrating the vulnerability for testing purposes. Security practitioners should prioritize updating to the patched version and scan for vulnerable installations.

EU & UK References

Vulnerability details

NanaZip is an open source file archive. Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1204.002 Malicious File Execution
An adversary may rely upon a user opening a malicious file in order to gain execution.
T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability in ROMFS parser enables DoS via crafted archive file opened by victim (T1204.002 Malicious File) resulting in application crash/hang through exploitation (T1499.004 Application or System Exploitation).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-6519Shared CWE-835
CVE-2026-7375Shared CWE-835
CVE-2026-6520Shared CWE-835
CVE-2026-26283Shared CWE-835
CVE-2026-39806Shared CWE-835
CVE-2026-29975Shared CWE-835
CVE-2026-44302Shared CWE-835
CVE-2026-31448Shared CWE-835
CVE-2026-42899Shared CWE-835
CVE-2026-27628Shared CWE-835

Affected Assets

m2team
nanazip
5.0.1252.0 — 6.0.1630.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Flaw remediation directly addresses the infinite loop vulnerability in NanaZip's ROMFS parser by applying patches like version 6.0.1630.0.

detect

Vulnerability monitoring and scanning identifies systems running vulnerable NanaZip versions affected by CVE-2026-27114.

prevent

Information input validation in the ROMFS archive parser detects and rejects circular NextOffset chains to prevent infinite loops.

References