Low severity3.3NVD Advisory· Published May 12, 2026· Updated May 18, 2026
CVE-2026-42442
CVE-2026-42442
Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected products
1Patches
Vulnerability mechanics
References
1- github.com/M2Team/NanaZip/security/advisories/GHSA-8r4x-fx3w-ph77nvdMitigationVendor Advisory
News mentions
0No linked articles in our index yet.