Null-Pointer Dereference in NanaZip File Archive Tool
CVE-2026-42442

3.3LOW

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42442?

A null-pointer dereference exists in NanaZip, an open-source file archiving tool. This vulnerability occurs when opening a specially crafted UFS image, which sets the root inode to IFLNK (symbolic link) rather than IFDIR (directory). The parser mistakenly treats this symlink as a directory without verifying its type. If the embedded target of the symlink is small, the resulting directory data buffer will be empty, leading to a null-pointer dereference during the first read operation. This can potentially crash the application, allowing for denial-of-service conditions. The issue has been resolved in version 6.0.1698.0.

Affected Version(s)

NanaZip >= 5.0.1250.0, < 6.0.1698.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42442 Data

JSON

M2team

What is CVE-2026-42442?

Affected Version(s)

References

CVSS V3.1

Timeline