CVE-2026-42171

EUVD-2026-25637
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.8 HIGH
LOCAL
LOW
NONE
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
nullsoftnullsoft_scriptable_install_system
3.06.1 ≤
𝑥
< 3.12
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
nsis
bookworm
no-dsa
bullseye
postponed
bullseye (security)
vulnerable
forky
3.12-1
fixed
sid
3.12-1
fixed
trixie
no-dsa
Common Weakness Enumeration
References
https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484
https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename
https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl