CVE-2026-42442

Name of the Vulnerable Software and Affected Versions NanaZip versions 5.0.1252.0 through 6.0.1697.0

Description A null-pointer dereference exists in the UFS/UFS2 filesystem image parser. This occurs when opening a specially crafted UFS image where the root inode (inode 2) is set to IFLNK (symlink) instead of IFDIR (directory). The parser treats the root inode as a directory without verifying its type. If the symlink contains an embedded target (small di size), the directory data buffer is created with zero length, leading to a null-pointer dereference during the first read operation.

Recommendations Update to version 6.0.1698.0.