CVE-2026-42443

EUVD-2026-29788

12.05.2026, 20:16

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to zero. The parser uses this attacker-controlled value as a divisor without validation, causing an immediate hardware trap and process crash. This vulnerability is fixed in 6.0.1698.0.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	3.3 LOW	LOCAL	LOW	NONE	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

Base Score

CVSS 3.x

EPSS Score

Percentile: 1%

Affected Products (NVD)

Vendor	Product	Version
m2team	nanazip	5.0.1252.0 ≤ 𝑥 < 6.0.1698.0

𝑥

= Vulnerable software versions

Common Weakness Enumeration

CWE-369 - Divide By Zero
The product divides a value by zero.

References

https://github.com/M2Team/NanaZip/security/advisories/GHSA-3x2h-gqqw-g3gm