← Back

CVE-2026-42442

nvd nist
Published: May 12, 2026Modified: May 18, 2026

JSON object

Loading...
5.5
Vector
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H
Exploitability: 1.8 / Impact: 3.6
Source: NVD

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0.

Affected (1)

Products: M2team: Nanazip
M2team
1 product
Nanazip
Configuration A
1 vulnerable
Vulnerable SoftwareAffected Versions
Nanazip
From 5.0.1250.0 to 6.0.1698.0

Related CWEs

CWE-476
NULL Pointer Dereference
The product dereferences a pointer that it expects to be valid but is NULL.

References (1)

Source: security-advisories@github.com
MitigationVendor Advisory

Timeline

No history available yet.