CVE-2026-27014 MEDIUM

CVE-2026-27014: NanZip has ROMFS Archive Infinite Loop / Stack Overflow

Vendor M2Team
Product NanaZip
Weakness CWE-674
Published February 19, 2026
Last update February 20, 2026

CVSS base score

5.1/10
Attack vector Local
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

NanaZip is an open source file archive Starting in version 5.0.1252.0 and prior to version 6.0.1630.0, circular `NextOffset` chains cause an infinite loop, and deeply nested directories cause unbounded recursion (stack overflow) in the ROMFS archive parser. Version 6.0.1630.0 patches the issue.

Key dates

02Disclosure timeline

February 19, 2026 CVE published
February 20, 2026 Record updated