CVE-2026-42443 LOW

CVE-2026-42443: NanaZip: Integer divide-by-zero in NanaZip UFS inode offset calculation

Vendor M2Team
Product NanaZip
Weakness CWE-369
Published May 12, 2026
Last update May 12, 2026

CVSS base score

3.3/10
Attack vector Local
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to zero. The parser uses this attacker-controlled value as a divisor without validation, causing an immediate hardware trap and process crash. This vulnerability is fixed in 6.0.1698.0.

Key dates

02Disclosure timeline

May 12, 2026 CVE published
May 12, 2026 Record updated