CVE-2026-42445

CVSS Score & Metrics

Base Score

3.3 / 10

Vector String

                                        CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L                                    

Vulnerability Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPaths recurses into subdirectories without any depth limit or visited-inode tracking. A crafted UFS image with a deep directory tree or an inode cycle causes stack exhaustion, crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

Vulnerability Details

Published Date

May 12, 2026

Last Modified

May 14, 2026

CWE ID

CWE-674

Source

NVD

Vendor

M2Team

Product

NanaZip

External References

https://github.com/M2Team/NanaZip/security/advisories/GHSA-jpf5-j78p-cp3x

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment