NanaZip UFS Parser Heap Corruption Vulnerability (CVE-2026-27711) Analysis

Critical Vulnerability Information Vulnerability Overview CVE ID: CVE-2026-27711 CVSS v4 Base Metrics: 5.1/10 - Exploitability Metrics - Attack Vector: Local - Attack Complexity: Low - Attack Requirements: None - Privileges Required: Low - User Interaction: Passive - Vulnerable System Impact Metrics - Confidentiality: None - Integrity: None - Availability: High - Subsequent System Impact Metrics - Confidentiality: None - Integrity: None - Availability: None Impact Type: Out-of-bounds memory access / Heap corruption in parsing code (untrusted input). Affected Users: Any user opening an attacker-supplied UFS image (.ufs, .ufs2, .img) in NanaZip. Potential Consequences: - Denial of Service (crash/hang). - Potentially exploitable memory corruption, depending on the allocator, build configuration, and runtime protections. Affected Versions Affected Versions: 5.0 (5.0.1250.0) and later Fixed Versions: 6.0 Update 1 (6.0.1638.0) and later / 6.5 Preview (6.5.1638.0) and later Description Summary: A memory corruption vulnerability exists in the UFS parser of NanaZip, allowing out-of-bounds memory access during archive opening or listing when triggered by a specially crafted .ufs/.ufs2/.img file. This flaw is reachable via normal user file opening workflows and may lead to process crashes, hangs, and potentially exploitable heap corruption. Details: The security logic flaw resides in [NanaZip.Codecs.Archive.Ufs.cpp (line 591)] and related lines: - d_reclen and d_namlen are read from untrusted disk directory entries. - There is no validation that the current record fits within the remaining buffer bytes before field access. - There is no validation that d_reclen is non-zero and reasonable before advancing the pointer. - The code writes Current->d_name[NameLength] = '\0' without checking if NameLength is a valid value within the actual record boundaries. - Pointer advancement is entirely under attacker control: Current = ... + RecordLength.

Goal Reached Thanks to every supporter — we hit 100%!

NanaZip UFS Parser Heap Corruption Vulnerability (CVE-2026-27711) Analysis

More from this source