Uncontrolled Recursion Vulnerability in NanaZip File Archive Software
CVE-2026-42445

3.3LOW

Key Information:

Vendor: M2team
Status: Nanazip
Vendor: CVE Published:; 12 May 2026

What is CVE-2026-42445?

NanaZip, an open source file archive tool, is susceptible to an uncontrolled recursion issue in its UFS/UFS2 filesystem image parser. Versions from 5.0.1252.0 to just before 6.0.1698.0 are affected. The vulnerability occurs when the GetAllPaths function processes subdirectories without a limit on recursion depth or adequate inode tracking. This flaw can lead to stack exhaustion, resulting in the crash of the NanaZip application when handling specially crafted UFS images containing deep directory structures or inode cycles. The issue has been resolved in version 6.0.1698.0.

Affected Version(s)

NanaZip >= 5.0.1250.0, < 6.0.1698.0

References

https://github.com/M2Team/NanaZip/security/advisories/GHS...

x_refsource_CONFIRM

CVSS V3.1

Score:

3.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 27, 2026

CVE-2026-42445 Data

JSON

M2team

What is CVE-2026-42445?

Affected Version(s)

References

CVSS V3.1

Timeline