CVE-2026-42444 - Vulnerability Details

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists in the littlefs filesystem image parser in NanaZip. The handler's Open method reads BlockCount directly from the attacker-controlled superblock without any validation against the actual file size or any upper-bound ceiling, then iterates BlockCount times, allocating a file-path entry per iteration. A crafted 44-byte littlefs image with BlockCount = 0xFFFFFFFF causes ~4 billion heap allocations, exhausting available memory. This vulnerability is fixed in 6.0.1698.0.

Published: 2026-05-12

Score: 3.3 Low

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability lies in NanaZip’s littlefs filesystem image parser, where the Open method blindly reads an attacker‑controlled BlockCount from the archive’s superblock and then creates one heap allocation per count. A crafted archive with a BlockCount of 0xFFFFFFFF forces approximately four billion heap allocations, exhausting system memory and causing a service stall or crash. The weakness is a classic example of unbounded resource consumption (CWE‑770).

Affected Systems

The flaw affects users of M2Team’s NanaZip file archiver. Versions from 5.0.1252.0 up to, but not including, 6.0.1698.0 are vulnerable. Later releases contain a fix that validates the BlockCount value against the actual file size and an upper bound.

Risk and Exploitability

The published CVSS score of 3.3 indicates a low severity rating, consistent with a denial‑of‑service impact that requires the ability to supply a malicious archive to the application. No EPSS data is available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting that no widespread exploits are documented. The attack vector is inferred to be local or semi‑remote, relying on the user or an attacker with access to send a crafted littlefs image to the NanaZip parser. Successful exploitation would consume all available memory used by the process, potentially crashing the application or the host system.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

M2Team

NanaZip

affected

Version	Status	Constraints
`>= 5.0.1250.0, < 6.0.1698.0`	affected	—

No data.

Vendor Product Confidence Versions

M2team

Nanazip

100%

Version	Status	Scheme	Platform
`[5.0.1250.0,6.0.1698.0)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade NanaZip to version 6.0.1698.0 or later to receive the patch that validates BlockCount and limits resource usage.
Restrict the use of NanaZip to trusted archives and enforce that only authenticated or verified archives are processed by the application.
Monitor process memory consumption and set limits or alerts to detect abnormal memory growth that could indicate a DoS attempt.

Generated by OpenCVE AI on May 12, 2026 at 20:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/M2Team/NanaZip/security/advisories/GHSA-7hqh-mq57-wjmq

History

Tue, 12 May 2026 22:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		M2team M2team nanazip
Vendors & Products		M2team M2team nanazip

Tue, 12 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists in the littlefs filesystem image parser in NanaZip. The handler's Open method reads BlockCount directly from the attacker-controlled superblock without any validation against the actual file size or any upper-bound ceiling, then iterates BlockCount times, allocating a file-path entry per iteration. A crafted 44-byte littlefs image with BlockCount = 0xFFFFFFFF causes ~4 billion heap allocations, exhausting available memory. This vulnerability is fixed in 6.0.1698.0.
Title		NanaZip: Unbounded resource consumption in NanaZip littlefs parser via attacker-controlled BlockCount
Weaknesses		CWE-770
References		https://github.com/M2Team/NanaZip/security/advisories/GHSA-7hqh-mq57-wjmq
Metrics		cvssV3_1 `{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}`

Subscriptions

M2team Nanazip

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-12T19:22:09.813Z

Updated: 2026-05-12T19:22:09.813Z

Reserved: 2026-04-27T13:55:58.692Z

Link: CVE-2026-42444

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-12T20:16:41.653

Modified: 2026-05-12T20:16:41.653

Link: CVE-2026-42444

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses

CWE-770

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Local

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction Required

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object