CVE-2026-42171
7.8
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Nullsoft | Nullsoft Scriptable Install System | 3.06.1 < 3.12 | affected |
Weaknesses
- CWE-427: CWE-427 Uncontrolled Search Path Element
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: total
References
- https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl
- https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca
- https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484
- https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.