Home

Description

NanaZip is the 7-Zip derivative intended for the modern Windows experience. Prior to 6.5.1749.0, NanaZip's seven in-house IInArchive handlers in NanaZip.Codecs unconditionally dereference the caller-supplied Indices array inside Extract when the archive engine signals extract everything by passing Indices as NULL and NumItems as 0xFFFFFFFF. This causes a NULL pointer dereference in the standard Test archive or Extract all code path for WebAssembly, ElectronAsar, Zealfs, Romfs, Ufs, Littlefs, and DotNetSingleFile archives, resulting in a process crash. This issue is fixed in version 6.5.1749.0.

PUBLISHED Reserved 2026-06-17 | Published 2026-07-10 | Updated 2026-07-10 | Assigner GitHub_M




LOW: 2.4CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Problem types

CWE-476: NULL Pointer Dereference

Product status

< 6.5.1749.0
affected

References

github.com/...anaZip/security/advisories/GHSA-q67r-9cfh-xc29 exploit

github.com/...anaZip/security/advisories/GHSA-q67r-9cfh-xc29

github.com/...ommit/5d74d90b737ac7096e5d944a5a3070c5c6a8f894

github.com/M2Team/NanaZip/releases/tag/6.5.1749.0

cve.org (CVE-2026-55783)

nvd.nist.gov (CVE-2026-55783)

Download JSON