CVE-2026-44215
4.4
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Summary
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a one-byte heap out-of-bounds null write exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS filesystem image. The attacker controls the byte offset of the write within a ~254-byte window past the heap allocation boundary. This vulnerability is fixed in 6.0.1698.0.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| M2Team | NanaZip | >= 5.0.1250.0, < 6.0.1698.0 | affected |
Weaknesses
- CWE-787: CWE-787: Out-of-bounds Write
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: poc
- Automatable: no
- Technical Impact: partial
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.