CVE-2026-42445

Source
https://cve.org/CVERecord?id=CVE-2026-42445
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42445.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-42445
Aliases
  • GHSA-jpf5-j78p-cp3x
Published
2026-05-12T19:22:59.935Z
Modified
2026-07-08T08:13:19.688717728Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L CVSS Calculator
Summary
NanaZip: Uncontrolled recursion in NanaZip UFS directory traversal causes stack exhaustion
Details

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an uncontrolled recursion vulnerability exists in the UFS/UFS2 filesystem image parser in NanaZip. The function GetAllPaths recurses into subdirectories without any depth limit or visited-inode tracking. A crafted UFS image with a deep directory tree or an inode cycle causes stack exhaustion, crashing the NanaZip process. This vulnerability is fixed in 6.0.1698.0.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42445.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-674"
    ]
}
References

Affected packages

Git / github.com/m2team/nanazip

Affected ranges

Type
GIT
Repo
https://github.com/m2team/nanazip
Events
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "5.0.1250.0"
        },
        {
            "fixed": "6.0.1698.0"
        },
        {
            "introduced": "5.0.1252.0"
        }
    ]
}

Affected versions

5.*
5.0.1250.0
5.0.1252.0
5.0.1263.0
5.1.1252.0
5.1.1263.0
6.*
6.0.1461.0
6.0.1621.0
6.0.1630.0
6.0.1632.0
6.0.1638.0
6.0.1650.0
6.0.1691.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42445.json"