CVE-2026-42442 - Vulnerability Details

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0.

Published: 2026-05-12

Score: 3.3 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

NanaZip, an open‑source archiving tool, contains a null‑pointer dereference in its UFS/UFS2 filesystem image parser. When the parser opens a UFS image whose root inode is incorrectly configured as a symlink, the code assumes it is a directory, allocates a zero‑length buffer, and then dereferences a null pointer during the first read. The result is a crash of the NanaZip process, which can lead to a denied‑service condition for users attempting to extract the archive.

Affected Systems

The vulnerability affects M2Team’s NanaZip from versions 5.0.1252.0 up through, but not including, 6.0.1698.0. Any installation of NanaZip within this range that is used to open untrusted UFS images is impacted.

Risk and Exploitability

The CVSS score of 3.3 indicates low severity; the vulnerability is not listed in CISA’s KEV catalog and no EPSS value is available. Exploitation requires an attacker to supply a specially crafted UFS image to the vulnerable version of NanaZip, typically achievable when the application is run locally or a user opens a malicious archive. Because the defect causes a crash rather than privilege escalation or data disclosure, the risk is primarily a local denial of service. Updating to version 6.0.1698.0 or newer resolves the issue.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

M2Team

NanaZip

affected

Version	Status	Constraints
`>= 5.0.1250.0, < 6.0.1698.0`	affected	—

No data.

Vendor Product Confidence Versions

M2team

Nanazip

100%

Version	Status	Scheme	Platform
`[5.0.1250.0,6.0.1698.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update to NanaZip 6.0.1698.0 or a later release that contains the fix.
If an upgrade cannot be performed immediately, restrict the use of NanaZip to controlled environments and avoid processing UFS images from untrusted or unknown sources.
Monitor NanaZip logs for unexpected crashes and configure the application to handle malformed archives gracefully to mitigate repeat denial‑of‑service attacks.

Generated by OpenCVE AI on May 12, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/M2Team/NanaZip/security/advisories/GHSA-8r4x-fx3w-ph77

History

Tue, 12 May 2026 22:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		M2team M2team nanazip
Vendors & Products		M2team M2team nanazip

Tue, 12 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0.
Title		NanaZip: Null-pointer dereference in NanaZip UFS parser when root inode is a symlink
Weaknesses		CWE-476
References		https://github.com/M2Team/NanaZip/security/advisories/GHSA-8r4x-fx3w-ph77
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`

Subscriptions

M2team Nanazip

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T19:21:04.924Z

Updated: 2026-05-12T19:21:04.924Z

Reserved: 2026-04-27T13:55:58.692Z

Link: CVE-2026-42442

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T20:16:41.393

Modified: 2026-05-12T20:16:41.393

Link: CVE-2026-42442

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T22:15:25Z

Weaknesses

CWE-476

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object