Denial-of-Service Vulnerability in NanaZip File Archive by M2Team
CVE-2026-42444

3.3LOW

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42444?

NanaZip, an open source file archiving tool, is subject to a denial-of-service vulnerability due to improper validation in the littlefs filesystem image parser. When processing specially crafted 44-byte littlefs images, the Open method does not validate the BlockCount from the superblock against the actual file size. This oversight leads to excessive memory allocation, exhausting system resources when BlockCount is set to a maximum value. The vulnerability affects versions 5.0.1252.0 to just before 6.0.1698.0 and has been addressed in version 6.0.1698.0.

Affected Version(s)

NanaZip >= 5.0.1250.0, < 6.0.1698.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42444 Data

JSON

M2team

What is CVE-2026-42444?

Affected Version(s)

References

CVSS V3.1

Timeline