CVE-2026-42171 Nullsoft CVE debrief

Who should care

Windows system administrators managing software deployment pipelines, security teams auditing installer security, developers building NSIS-based installers, and organizations using third-party software distributed via NSIS installers

Technical summary

The vulnerability exists in NSIS versions 3.06.1 through 3.11 in the `my_GetTempFileName` function within `Source/exehead/util.c`. When NSIS installers run with elevated SYSTEM privileges, the function may return a path within the Low Integrity Level temporary directory rather than an appropriate high-integrity location. If an attacker can cause `my_GetTempFileName` to return 0, they can exploit this path confusion to perform privileged operations on attacker-controlled files. The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H reflects local attack vector, low complexity, no privileges required, user interaction needed, and high impact across confidentiality, integrity, and availability. The fix in NSIS 3.12 ensures proper temporary directory selection during elevated execution contexts.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade NSIS to version 3.12 or later to eliminate the vulnerability
• Audit systems for NSIS-based installers built with affected versions and request rebuilds with patched NSIS
• Monitor for suspicious activity in Low Integrity Level temp directories on systems running legacy NSIS installers
• Review custom NSIS scripts for any explicit `my_GetTempFileName` usage that may need adjustment
• Apply principle of least privilege by avoiding SYSTEM-level execution of NSIS installers where possible

Evidence notes

CVE published 2026-04-24; modified 2026-05-18. Affected versions confirmed as 3.06.1 through 3.11 per NVD CPE criteria. Patch commit 8e6f02205d5f22da6c7855dbfe59b2af667330ca addresses the vulnerability. Release notes for version 3.12 document the fix.

Official resources