CVE-2026-42444: CWE-770: Allocation of Resources Without Limits or Throttling in M2Team NanaZip
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists in the littlefs filesystem image parser in NanaZip. The handler's Open method reads BlockCount directly from the attacker-controlled superblock without any validation against the actual file size or any upper-bound ceiling, then iterates BlockCount times, allocating a file-path entry per iteration. A crafted 44-byte littlefs image with BlockCount = 0xFFFFFFFF causes ~4 billion heap allocations, exhausting available memory. This vulnerability is fixed in 6.0.1698.0.
AI Analysis
Technical Summary
CVE-2026-42444 is a resource exhaustion vulnerability in NanaZip's littlefs filesystem image parser. The Open method reads the BlockCount field from a maliciously crafted superblock without validation, then allocates memory for each block count entry. A crafted 44-byte littlefs image with BlockCount set to 0xFFFFFFFF triggers approximately 4 billion heap allocations, leading to memory exhaustion and denial of service. The vulnerability affects NanaZip versions from 5.0.1252.0 to before 6.0.1698.0 and is resolved in version 6.0.1698.0.
Potential Impact
Successful exploitation results in denial of service due to memory exhaustion caused by uncontrolled heap allocations. There is no impact on confidentiality or integrity. The CVSS score is 3.3 (low severity), reflecting the local attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
This vulnerability is fixed in NanaZip version 6.0.1698.0. Users should upgrade to this version or later to remediate the issue. No other mitigation or workaround is indicated. Patch status is confirmed fixed in the specified version.
CVE-2026-42444: CWE-770: Allocation of Resources Without Limits or Throttling in M2Team NanaZip
Description
NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, a denial-of-service vulnerability exists in the littlefs filesystem image parser in NanaZip. The handler's Open method reads BlockCount directly from the attacker-controlled superblock without any validation against the actual file size or any upper-bound ceiling, then iterates BlockCount times, allocating a file-path entry per iteration. A crafted 44-byte littlefs image with BlockCount = 0xFFFFFFFF causes ~4 billion heap allocations, exhausting available memory. This vulnerability is fixed in 6.0.1698.0.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42444 is a resource exhaustion vulnerability in NanaZip's littlefs filesystem image parser. The Open method reads the BlockCount field from a maliciously crafted superblock without validation, then allocates memory for each block count entry. A crafted 44-byte littlefs image with BlockCount set to 0xFFFFFFFF triggers approximately 4 billion heap allocations, leading to memory exhaustion and denial of service. The vulnerability affects NanaZip versions from 5.0.1252.0 to before 6.0.1698.0 and is resolved in version 6.0.1698.0.
Potential Impact
Successful exploitation results in denial of service due to memory exhaustion caused by uncontrolled heap allocations. There is no impact on confidentiality or integrity. The CVSS score is 3.3 (low severity), reflecting the local attack vector, low complexity, no privileges required, and user interaction needed.
Mitigation Recommendations
This vulnerability is fixed in NanaZip version 6.0.1698.0. Users should upgrade to this version or later to remediate the issue. No other mitigation or workaround is indicated. Patch status is confirmed fixed in the specified version.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-27T13:55:58.692Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a03813ccbff5d861012f66a
Added to database: 5/12/2026, 7:36:28 PM
Last enriched: 5/12/2026, 8:07:46 PM
Last updated: 5/13/2026, 4:59:58 AM
Views: 2
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.