CVE-2026-42443 M2team CVE debrief

Who should care

NanaZip users and administrators, especially on systems that open untrusted UFS/UFS2 images or automate archive and disk-image inspection.

Technical summary

According to the NVD record and linked vendor advisory, NanaZip versions from 5.0.1252.0 to before 6.0.1698.0 contain an integer divide-by-zero in the UFS/UFS2 filesystem image parser. The trigger is a crafted UFS image whose superblock field fs_ipg (inodes per cylinder group) is set to zero. NVD maps the issue to CWE-369 and the listed CVSS vector indicates local access with user interaction and low availability impact only.

Defensive priority

Low. Patch promptly if NanaZip is present on endpoints that may open untrusted UFS images, but this is a crash-only issue with no listed confidentiality or integrity impact.

Recommended defensive actions

• Upgrade NanaZip to 6.0.1698.0 or later.
• Restrict or review handling of untrusted UFS/UFS2 disk images until patched.
• If NanaZip is bundled in another application or package, confirm the bundled version is updated.
• Use the vendor advisory and NVD record to validate that deployed builds are outside the affected version range.

Evidence notes

The supplied NVD metadata marks the CVE as analyzed and lists vulnerable versions from 5.0.1252.0 through before 6.0.1698.0. The record cites the vendor advisory as a mitigation reference, identifies CWE-369, and provides the CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L, consistent with a local crash caused by divide-by-zero during image parsing.

Official resources