Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42443

CVE-2026-42443: NanaZip UFS Parser DOS Vulnerability

CVE-2026-42443 is a divide-by-zero denial of service vulnerability in NanaZip's UFS filesystem parser that causes immediate process crashes. This article covers the technical details, affected versions, and mitigation steps.

Published:

CVE-2026-42443 Overview

CVE-2026-42443 is a divide-by-zero vulnerability [CWE-369] in NanaZip, an open source file archive utility for Windows. The flaw resides in the Unix File System (UFS/UFS2) image parser. Versions from 5.0.1252.0 up to but not including 6.0.1698.0 are affected. An attacker crafts a malicious UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to zero. When NanaZip opens the image, the parser uses this attacker-controlled value as a divisor without validation. The result is an immediate hardware trap and process crash. The issue is fixed in NanaZip 6.0.1698.0.

Critical Impact

A crafted UFS/UFS2 image crashes the NanaZip process on open, producing a local denial of service against the archive utility.

Affected Products

  • NanaZip versions 5.0.1252.0 through 6.0.1697.x
  • NanaZip UFS/UFS2 filesystem image parser component
  • Windows hosts running vulnerable NanaZip builds

Discovery Timeline

  • 2026-05-12 - CVE-2026-42443 published to NVD
  • 2026-05-13 - Last updated in NVD database

Technical Details for CVE-2026-42443

Vulnerability Analysis

The vulnerability is a classic divide-by-zero condition in archive format parsing. NanaZip supports opening UFS and UFS2 filesystem images as archives. During parsing, the code reads the on-disk superblock and extracts the fs_ipg field, which describes the number of inodes per cylinder group. The parser then uses fs_ipg as a divisor when computing offsets and counts for cylinder group metadata. Because the value comes directly from the input file and is not validated against zero, an attacker who controls the image controls the divisor.

On x86 and x64 hardware, an integer division by zero raises a #DE (divide error) CPU exception. Windows translates this into an EXCEPTION_INT_DIVIDE_BY_ZERO structured exception. NanaZip does not handle this condition gracefully in the UFS parser path, so the process terminates.

Root Cause

The root cause is missing input validation on a length-related field consumed from untrusted file data. The parser trusts the superblock fs_ipg value and performs arithmetic without a zero check before division. See the GitHub Security Advisory GHSA-3x2h-gqqw-g3gm for the upstream technical description.

Attack Vector

Exploitation requires local user interaction. An attacker delivers a crafted UFS/UFS2 image, typically with a .img, .ufs, or similar extension, and convinces a user to open it in NanaZip. No authentication or elevated privileges are required. Impact is limited to availability of the NanaZip process. There is no memory corruption, no information disclosure, and no code execution primitive associated with this specific bug.

No verified proof-of-concept code is published. The vulnerability mechanism is described in prose because no validated exploit artifacts are available in the referenced advisory.

Detection Methods for CVE-2026-42443

Indicators of Compromise

  • Unexpected NanaZip.exe or NanaZipShellExtension process termination events on user workstations
  • Windows Error Reporting entries citing EXCEPTION_INT_DIVIDE_BY_ZERO (0xC0000094) in NanaZip modules
  • Inbound UFS or UFS2 disk images delivered via email, chat, or web download to end-user systems

Detection Strategies

  • Inventory installed NanaZip versions across managed endpoints and flag any build below 6.0.1698.0
  • Hunt for application crash telemetry where the faulting module belongs to NanaZip and the exception code is 0xC0000094
  • Inspect email and web gateways for attachments with UFS/UFS2 magic bytes opened by users running vulnerable NanaZip versions

Monitoring Recommendations

  • Forward Windows Application event log entries (Event ID 1000, 1001) into a central log store and alert on repeated NanaZip faults
  • Track file-open telemetry on endpoints for unusual filesystem image types being handed off to archive utilities
  • Correlate user reports of "file won't open" with crash events to surface targeted abuse attempts

How to Mitigate CVE-2026-42443

Immediate Actions Required

  • Upgrade NanaZip to version 6.0.1698.0 or later on all Windows endpoints where it is installed
  • Remove NanaZip from systems where archive utility functionality is not required
  • Advise users to avoid opening UFS or UFS2 disk images received from untrusted sources until patched

Patch Information

The vendor fixed the issue in NanaZip 6.0.1698.0 by validating the fs_ipg superblock field before using it as a divisor. Patch details and the upstream commit are referenced in the NanaZip GitHub Security Advisory. Deploy the updated installer through your software distribution tooling and verify the version string after installation.

Workarounds

  • Restrict file associations so UFS/UFS2 images are not opened by NanaZip on user workstations
  • Block delivery of UFS/UFS2 filesystem images at email and web proxies where business workflows do not require them
  • Use an alternative, patched archive utility for inspecting filesystem images until the NanaZip upgrade is deployed
bash
# Configuration example: verify installed NanaZip version on Windows
Get-AppxPackage -Name *NanaZip* | Select-Object Name, Version
# Confirm Version is 6.0.1698.0 or higher

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne