CVE-2026-47224: Heap Buffer-Overflow in NanaZip LVM2 Metadata Parser
A NVD · · CVE-2026-47224
Admiralty grading (A–F · 1–6)
Source reliability
- A Completely reliable
- B Usually reliable
- C Fairly reliable
- D Not usually reliable
- E Unreliable
- F Cannot be judged
Information credibility
- 1 Confirmed
- 2 Probably true
- 3 Possibly true
- 4 Doubtful
- 5 Improbable
- 6 Cannot be judged
NATO Admiralty (AJP-2.1) grades confidence, independent of the risk score. Cross-source corroboration isn't tracked for non-CVE news, so single-source items are capped at a lower credibility number; a low number does not imply low quality.
Key metrics
- CVSS
- 4.3
- EPSS
- 0%
Key insight
The vulnerability enables heap buffer-overflow via crafted LVM disk images when opened locally , patching to version 6.0.1698.0 or later is required.
Description
CVE-2026-47224 is a heap buffer-overflow flaw in the LVM2 physical-volume metadata parser of NanaZip (via upstream 7-Zip LvmHandler). The vulnerability affects NanaZip versions from 3.0.1000.0 to before 6.0.1698.0 and is triggered when opening a crafted LVM disk image. A local attacker could trigger memory corruption and potentially achieve code execution. The flaw has been patched in stable version 6.0.1698.0 and preview version 6.5.1742.0.
Risk score
- cvss base
- 43.00
- kev bonus
- 0.00
- epss bonus
- 0.00
- poc bonus
- 0.00
- raw before weight
- 43.00
- industry weight
- 1.10
- freshness factor
- 1.00
- exploitability factor
- 1.00
- days old
- 0.00
- vendor mismatch penalty
- 0.00
Path: operational