CVEFinder.io

CVE-2026-42442

ℹī¸ low
🔍 Scan for this CVE
Summary

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0.

CVSS Score
3.3
Low
EPSS Score
0.0
Exploit Probability
Published Date
2026-05-12
First Seen: 2026-05-19
📊 Relative Risk Intelligence

This CVE is Lower Risk - more severe than 2.8% of all 326,604 vulnerabilities in our database.

#317,424
Below average severity
Severity Percentile
đŸŽ¯ CISA SSVC Assessment Updated: May 13, 2026
🔍 Exploitation Status
None
No known exploits
⚙ī¸ Automatable
NO
Requires human interaction
đŸ’Ĩ Technical Impact
Partial
Limited system impact
SSVC data provided by CISA
Last Modified 2026-05-18
Source NVD 🔗
CVSS Vector 3.1 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
CWE IDs (Weakness Types)
CWE-476

đŸ“Ļ Affected Products 1

Vendor Product Status Affected Versions
m2team nanazip Affected
> 5.0.1250.0 < 6.0.1698.0

🔗 References 1

https://github.com/M2Team/NanaZip/security/advisorie...
Mitigation Vendor Advisory

🔗 Related CVEs 6

CVE ID Severity CVSS EPSS Summary Published
CVE-2026-42444 ℹī¸ low 3.3 0.0 NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists i... 2026-05-12
CVE-2026-42445 ℹī¸ low 3.3 0.0 NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability ex... 2026-05-12
CVE-2026-42446 đŸ”ļ medium 4.4 0.0 NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a stack-based out-of-bounds read exists in... 2026-05-12
CVE-2026-44215 đŸ”ļ medium 4.4 0.0 NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a one-byte heap out-of-bounds null write e... 2026-05-12
CVE-2026-42355 ℹī¸ low 3.3 0.0 NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability ex... 2026-05-12
CVE-2026-42443 ℹī¸ low 3.3 0.0 NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UF... 2026-05-12
These CVEs affect the same products