Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42355

CVE-2026-42355: NanaZip Denial of Service Vulnerability

CVE-2026-42355 is a denial of service flaw in NanaZip caused by uncontrolled recursion in the ASAR parser. Attackers can crash the application using crafted files. This article covers technical details, affected versions, impact, and mitigation.

Published:

CVE-2026-42355 Overview

CVE-2026-42355 is an uncontrolled recursion vulnerability [CWE-674] in NanaZip, an open source file archiver for Windows. The flaw resides in the Electron Archive (ASAR) parser. Versions from 5.0.1252.0 up to but not including 6.0.1698.0 are affected. When a user opens a crafted .asar file, the parser processes deeply nested JSON in the archive header without enforcing depth limits. Both nlohmann::json::parse and the handler's GetAllPaths function recurse until the thread stack is exhausted, crashing the NanaZip process. The issue is fixed in version 6.0.1698.0.

Critical Impact

A local attacker can cause a denial of service by tricking a user into opening a malicious .asar archive, crashing NanaZip without affecting confidentiality or integrity.

Affected Products

  • NanaZip versions 5.0.1252.0 through versions prior to 6.0.1698.0
  • The Electron Archive (ASAR) parser component
  • NanaZip 6.0.1698.0 and later contain the fix

Discovery Timeline

  • 2026-05-12 - CVE-2026-42355 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42355

Vulnerability Analysis

NanaZip extends 7-Zip with support for the Electron Archive (ASAR) format used by Electron-based applications. ASAR files begin with a JSON header that describes the directory tree of files inside the archive. The vulnerable code path parses this header using the nlohmann::json library and then walks the resulting object tree using a function named GetAllPaths.

Neither the JSON parsing step nor the tree traversal step enforces a maximum recursion depth. Each nested JSON object adds another stack frame during parsing and another stack frame during path enumeration. A crafted header containing thousands of nested objects exhausts the thread stack and triggers an unhandled stack overflow exception. The result is an abnormal termination of the NanaZip process.

The Exploit Prediction Scoring System (EPSS) reports a probability of 0.013%, reflecting low likelihood of exploitation in the wild. The vulnerability requires user interaction and yields no code execution or data disclosure.

Root Cause

The root cause is the absence of a recursion limit when handling untrusted, structured input. Both libraries involved trust the producer of the archive to supply a sanely shaped header. The application does not validate header depth before parsing, and the post-parse walker does not bound its descent.

Attack Vector

Exploitation requires local access and user interaction. The attacker prepares a malicious .asar file with a header containing deeply nested JSON objects. The attacker delivers the file through email, web download, or shared storage. When the user opens or browses the file in NanaZip, the parser recurses until the stack is exhausted and the process crashes.

No authentication is required and no privileges are gained. The impact is limited to availability of the NanaZip process on the local machine.

Detection Methods for CVE-2026-42355

Indicators of Compromise

  • Unexpected NanaZip process crashes shortly after a user opens a file with an .asar extension.
  • Windows Application event log entries showing stack overflow or access violation faults attributed to NanaZip binaries.
  • Presence of .asar files from untrusted sources in user download or temp directories.

Detection Strategies

  • Inventory installed NanaZip versions across endpoints and flag any build between 5.0.1252.0 and 6.0.1698.0 exclusive.
  • Hunt for process termination events where NanaZip exits with a structured exception code such as 0xC00000FD (stack overflow).
  • Inspect .asar files at rest by measuring JSON header nesting depth and flagging files that exceed a reasonable threshold.

Monitoring Recommendations

  • Forward Windows Application and Reliability event logs to a central log platform and alert on repeated NanaZip crashes on the same host.
  • Track file-open telemetry that correlates user-launched archive operations with subsequent process exits.
  • Review software inventory feeds for outdated NanaZip installations as part of routine vulnerability management.

How to Mitigate CVE-2026-42355

Immediate Actions Required

  • Upgrade NanaZip to version 6.0.1698.0 or later on all endpoints where it is installed.
  • Instruct users to avoid opening .asar files received from untrusted sources until the upgrade is deployed.
  • Validate the upgrade by checking the installed version reported in the NanaZip About dialog or registry uninstall entry.

Patch Information

The vulnerability is fixed in NanaZip 6.0.1698.0. The fix introduces depth limits in the ASAR parser so that both nlohmann::json::parse and GetAllPaths reject excessively nested input. Patch details are available in the GitHub Security Advisory GHSA-4gxf-p4q6-gfrf.

Workarounds

  • Remove or disable NanaZip on systems where an upgrade cannot be performed immediately.
  • Block delivery of .asar attachments through email gateways and web proxies for users who do not require them.
  • Restrict file association for the .asar extension so the format does not auto-open in NanaZip.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne