Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPaths recurses into subdirectories without any depth limit or visited-inode tracking. A crafted UFS image with a deep directory tree or an inode cycle causes stack exhaustion, crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.
Published: 2026-05-12
Score: 3.3 Low
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

NanaZip's UFS/UFS2 parser contains an uncontrolled recursion flaw where the GetAllPaths function dives into subdirectories without any depth limit or cycle detection. A specially crafted UFS image that contains a deep nested directory tree or an inode loop can exhaust the call stack, causing the NanaZip process to crash. The immediate consequence is a denial of service to the local user or any service that depends on NanaZip, with no elevation of privilege or data disclosure.

Affected Systems

The vulnerability affects the M2Team NanaZip application, specifically versions that start at 5.0.1252.0 and continue through any release before 6.0.1698.0. Versions 6.0.1698.0 and later contain the fix.

Risk and Exploitability

The CVSS score of 3.3 reflects a low-severity denial of service risk. EPSS is not available, and the issue is not listed in CISA KEV catalogs, indicating limited public exploitation activity. The likely attack vector requires an adversary to deliver a malicious UFS image to NanaZip, either by providing it to a local user or by exploiting a path where user-supplied archives are processed. Because the flaw does not involve remote code execution or privilege escalation, it is considered an isolated local or sandboxed denial of service vector.

Generated by OpenCVE AI on May 12, 2026 at 20:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade NanaZip to version 6.0.1698.0 or newer, where the recursion depth and inode cycle handling have been corrected.
  • Until an upgrade is possible, restrict the processing of UFS archives to trusted sources and run NanaZip under sandboxing or limited permission to contain any potential crash impact.
  • Monitor NanaZip logs or system stability monitors for sudden crashes, and verify that the upgraded binary is in use.

Generated by OpenCVE AI on May 12, 2026 at 20:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
First Time appeared M2team
M2team nanazip
Vendors & Products M2team
M2team nanazip

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPaths recurses into subdirectories without any depth limit or visited-inode tracking. A crafted UFS image with a deep directory tree or an inode cycle causes stack exhaustion, crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.
Title NanaZip: Uncontrolled recursion in NanaZip UFS directory traversal causes stack exhaustion
Weaknesses CWE-674
References
Metrics cvssV3_1

{'score': 3.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L'}

Subscriptions

M2team Nanazip
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T19:22:59.935Z

Reserved: 2026-04-27T13:55:58.692Z

Link: CVE-2026-42445

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T20:16:41.777

Modified: 2026-05-12T20:16:41.777

Link: CVE-2026-42445

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T21:45:05Z

Weaknesses