CVE•Published 2026-05-12•Modified 2026-05-18•0 articles on news•6 live references•NVD data

CVE-2026-42443M2team · Nanazip

Vulnerability data via NVD (ingested)

CVSS v3.1

3.3

LOW

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L

EPSS percentile

—

Weaknesses (CWE)

CWE-369Divide By Zero

Description

NanaZip is an open source file archive. From 5.0.1252.0 to before 6.0.1698.0, an integer divide-by-zero exists in the UFS/UFS2 filesystem image parser in NanaZip. The vulnerability is triggered when opening a crafted UFS image where the superblock field fs_ipg (inodes per cylinder group) is set to zero. The parser uses this attacker-controlled value as a divisor without validation, causing an immediate hardware trap and process crash. This vulnerability is fixed in 6.0.1698.0.

Timeline

Published 2026-05-12

Modified 2026-05-18

External references

NVD MITRE Exploit-DB GitHub PoC Sploitus VulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts

vuln:CVE-2026-42443

Hosts Shodan has explicitly fingerprinted as vulnerable.

Shodan · product

product:"M2team Nanazip"

All exposed M2team Nanazip instances — cross-reference with the CVE's affected-version range.

Shodan · banner/body mention

http.html:"Nanazip"

HTTP body or banner mentions "Nanazip" — catches deploys Shodan didn't identify as a product.

More intel sources (5)

Shodan report

vuln:CVE-2026-42443