Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-42444

CVE-2026-42444: NanaZip littlefs Parser DoS Vulnerability

CVE-2026-42444 is a denial-of-service flaw in NanaZip's littlefs filesystem parser that allows attackers to exhaust system memory through crafted images. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-42444 Overview

CVE-2026-42444 is a denial-of-service vulnerability in NanaZip, an open source file archive utility for Windows. The flaw exists in the littlefs filesystem image parser. Versions from 5.0.1252.0 to before 6.0.1698.0 are affected. The handler's Open method reads BlockCount directly from an attacker-controlled superblock without validating it against the actual file size or any upper bound. A crafted 44-byte littlefs image with BlockCount = 0xFFFFFFFF triggers approximately 4 billion heap allocations, exhausting available memory. The issue is tracked as [CWE-770: Allocation of Resources Without Limits or Throttling].

Critical Impact

A single 44-byte malicious archive can exhaust system memory on the target host, requiring only that a user open the file in a vulnerable NanaZip version.

Affected Products

  • NanaZip versions 5.0.1252.0 through versions prior to 6.0.1698.0
  • Fixed in NanaZip 6.0.1698.0
  • Component: littlefs filesystem image parser handler

Discovery Timeline

  • 2026-05-12 - CVE-2026-42444 published to NVD
  • 2026-05-14 - Last updated in NVD database

Technical Details for CVE-2026-42444

Vulnerability Analysis

The vulnerability resides in the littlefs image parser shipped with NanaZip. When NanaZip opens a littlefs filesystem image, the parser's Open method reads the BlockCount field from the superblock structure. This value is treated as authoritative without sanity checks. The parser then enters a loop that runs BlockCount iterations, allocating a file-path entry on each pass.

An attacker sets BlockCount to 0xFFFFFFFF (4,294,967,295) inside a 44-byte image. The resulting loop attempts roughly four billion heap allocations, depleting process memory and triggering an out-of-memory condition. The disproportion between input size and memory consumption makes this an algorithmic amplification flaw classified under [CWE-770].

Root Cause

The parser trusts an attacker-controlled length field in the superblock. There is no comparison between BlockCount and the actual file size, and no maximum ceiling enforces a reasonable bound. The pre-allocation occurs before any block is actually read, so the loop continues until memory is exhausted.

Attack Vector

Exploitation requires user interaction. A victim must open a crafted littlefs image in a vulnerable NanaZip version. The attack vector is local because the malicious file must reach the target system, typically via email attachment, download, or shared storage. The vulnerability does not yield code execution, only availability impact on the NanaZip process and potentially the host under memory pressure.

No public proof-of-concept exploit or in-the-wild exploitation has been reported. The EPSS probability is 0.013%.

Detection Methods for CVE-2026-42444

Indicators of Compromise

  • NanaZip process consuming abnormal amounts of memory shortly after a user opens an archive file
  • Presence of small (≈44 byte) files with littlefs filesystem signatures arriving via email or download channels
  • Application crashes or STATUS_NO_MEMORY errors originating from NanaZip processes

Detection Strategies

  • Inventory installed NanaZip versions across the fleet and flag any build between 5.0.1252.0 and 6.0.1698.0
  • Monitor for unexpected memory growth in NanaZip.exe or related handler processes
  • Inspect file telemetry for littlefs-format images delivered from untrusted sources

Monitoring Recommendations

  • Track process resource consumption metrics with thresholds on private working set size for archive handlers
  • Log file open events for NanaZip and correlate with subsequent crashes or memory pressure alerts
  • Review software inventory reports against the fixed version 6.0.1698.0 on a recurring schedule

How to Mitigate CVE-2026-42444

Immediate Actions Required

  • Upgrade NanaZip to version 6.0.1698.0 or later on all endpoints where it is installed
  • Restrict opening of untrusted archive files, particularly small littlefs images from external sources
  • Communicate user awareness guidance about opening unknown archives until patching is complete

Patch Information

The vendor fixed CVE-2026-42444 in NanaZip 6.0.1698.0. The patch adds validation of the BlockCount superblock field against the actual image size and enforces an upper bound before allocation. See the NanaZip GitHub Security Advisory GHSA-7hqh-mq57-wjmq for full details.

Workarounds

  • Uninstall NanaZip versions in the affected range if patching cannot be completed immediately
  • Use an alternate archive utility for opening littlefs filesystem images until the upgrade is deployed
  • Block delivery of unsolicited littlefs image files at email and web gateways
bash
# Verify installed NanaZip version on Windows (PowerShell)
Get-AppxPackage -Name "*NanaZip*" | Select-Object Name, Version

# Upgrade via winget to the fixed release
winget upgrade --id M2Team.NanaZip --version 6.0.1698.0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne