PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42442 M2team CVE debrief

CVE-2026-42442 is a low-severity denial-of-service issue in NanaZip’s UFS/UFS2 filesystem image parser. A crafted UFS image can trigger a null-pointer dereference when the parser opens a root inode that is marked as a symlink instead of a directory. The issue is fixed in NanaZip 6.0.1698.0.

Vendor
M2team
Product
Nanazip
CVSS
LOW 3.3
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-12
Original CVE updated
2026-05-18
Advisory published
2026-05-12
Advisory updated
2026-05-18

Who should care

Teams that package, deploy, or routinely use NanaZip to open untrusted archives or disk images should care most, especially desktop support, security operations, and software distribution teams validating client versions.

Technical summary

According to the vendor advisory referenced by NVD, the UFS/UFS2 parser assumes inode 2 is a directory and does not validate the inode type before treating root data as directory content. When the crafted root inode is IFLNK and the symlink target is embedded in a small di_size, the parser ends up with a zero-length directory data buffer. The first read then dereferences a null pointer, producing a crash rather than code execution. NVD classifies the issue as CVSS 3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L with CWE-476.

Defensive priority

Low. The impact is limited to local denial of service, requires user interaction, and NVD does not indicate confidentiality or integrity impact. Prioritize remediation where NanaZip is exposed to untrusted file handling.

Recommended defensive actions

  • Upgrade NanaZip to version 6.0.1698.0 or later.
  • Inventory systems that use NanaZip for archive or filesystem image inspection and confirm installed versions.
  • Treat untrusted UFS/UFS2 images as potentially crash-inducing until patched.
  • If you cannot upgrade immediately, restrict handling of untrusted images to trusted workflows and users.
  • Monitor the vendor advisory and NVD record for any follow-up guidance or version corrections.

Evidence notes

The official NVD record for CVE-2026-42442 links to the NanaZip GitHub security advisory and lists the vulnerability as analyzed, with CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L and CWE-476. The advisory text states the issue affects NanaZip versions before 6.0.1698.0 and describes the crafted UFS image condition that leads to a null-pointer dereference. NVD’s CPE criteria also lists a vulnerable version range that begins at 5.0.1250.0, which is slightly broader than the advisory description.

Official resources

Publicly disclosed in the CVE record on 2026-05-12 and modified on 2026-05-18. No KEV listing is present in the supplied data.