Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to zero. The parser uses this attacker-controlled value as a divisor without validation, causing an immediate hardware trap and process crash. This vulnerability is fixed in 6.0.1698.0.
Published: 2026-05-12
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NanaZip, an open‑source file archive, has an integer divide‑by‑zero error in its UFS/UFS2 filesystem image parser. An attacker can craft a UFS image with the superblock field fs_ipg (inodes per cylinder group) set to zero. The parser uses this value as a divisor without validation, resulting in a hardware trap that crashes the process. This flaw is a classic division‑by‑zero vulnerability (CWE‑369) and yields only a crash – no privilege escalation or code execution.

Affected Systems

The flaw exists in NanaZip versions 5.0.1252.0 through 6.0.1697.999 (any release prior to 6.0.1698.0). All builds of the product from the specified starting point up to the fix are affected.

Risk and Exploitability

The CVSS score of 3.3 indicates a low impact assessment. EPSS data is not available and the flaw is not listed in the CISA KEV catalog. The attack requires local supply of a malicious UFS image, so the impact is limited to denial of service for whoever opens the file. Exploitation is straightforward – providing the crafted file causes an immediate crash – but the lack of remote or privilege‑elevating capabilities reduces overall risk for most production environments.

Generated by OpenCVE AI on May 12, 2026 at 21:03 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1698.0 or later where the divide‑by‑zero check has been added.
  • Restrict NanaZip usage to trusted UFS files and disable automatic processing of untrusted images from network or user uploads.
  • Set up monitoring of system logs to detect unexpected crashes or exceptions triggered by UFS file handling, which may indicate exploitation attempts.

Generated by OpenCVE AI on May 12, 2026 at 21:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 13 May 2026 00:15:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Tue, 12 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to zero. The parser uses this attacker-controlled value as a divisor without validation, causing an immediate hardware trap and process crash. This vulnerability is fixed in 6.0.1698.0.
Title NanaZip: Integer divide-by-zero in NanaZip UFS inode offset calculation
Weaknesses CWE-369
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T19:44:22.314Z

Reserved: 2026-04-27T13:55:58.692Z

Link: CVE-2026-42443

cve-icon Vulnrichment

Updated: 2026-05-12T19:44:08.751Z

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:41.520

Modified: 2026-05-12T20:16:41.520

Link: CVE-2026-42443

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T00:00:16Z

Weaknesses