PatchSiren cyber security CVE debrief
CVE-2026-42444 M2Team CVE debrief
NanaZip versions 5.0.1252.0 through 6.0.1698.0 (exclusive) contain a denial-of-service vulnerability in the littlefs filesystem image parser. The Open method reads BlockCount directly from attacker-controlled superblock data without validating against actual file size or enforcing an upper bound, then iterates BlockCount times allocating a file-path entry per iteration. A crafted 44-byte littlefs image with BlockCount set to 0xFFFFFFFF triggers approximately 4 billion heap allocations, exhausting system memory. This vulnerability was published on 2026-05-12 and last modified on 2026-05-18. CVSS 3.1 score is 3.3 (LOW severity). The issue is resolved in version 6.0.1698.0.
- Vendor
- M2Team
- Product
- NanaZip
- CVSS
- LOW 3.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
End-users and administrators deploying NanaZip in environments where untrusted archive files may be processed. Security teams monitoring for denial-of-service conditions in file handling applications.
Technical summary
The littlefs filesystem image parser in NanaZip fails to validate the BlockCount field read from the superblock. An attacker can craft a minimal 44-byte image with BlockCount set to maximum value (0xFFFFFFFF), causing the parser to attempt ~4 billion heap allocations and exhaust available memory. The vulnerability is local, requires user interaction to open a malicious file, and results in low availability impact per CVSS scoring.
Defensive priority
medium
Recommended defensive actions
- Upgrade NanaZip to version 6.0.1698.0 or later to remediate this vulnerability.
- If upgrading is not immediately possible, avoid opening littlefs filesystem images from untrusted sources.
- Monitor for unusual memory consumption when handling archive files, particularly littlefs images.
Evidence notes
Vendor advisory confirms the vulnerability exists in versions 5.0.1252.0 to before 6.0.1698.0, with fix released in 6.0.1698.0. CWE-770 (Allocation of Resources Without Limits or Throttling) is identified as the weakness.
Official resources
-
CVE-2026-42444 CVE record
CVE.org
-
CVE-2026-42444 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mitigation, Vendor Advisory
The vulnerability was disclosed via GitHub Security Advisory and indexed by NVD. No known exploitation in the wild has been reported.