CVE-2026-42171 | THREATINT

Description

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

PUBLISHED Reserved 2026-04-24 | Published 2026-04-24 | Updated 2026-04-25 | Assigner mitre

HIGH: 7.8CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Problem types

CWE-427 Uncontrolled Search Path Element

Product status

Default status

unaffected

3.06.1 (custom) before 3.12

affected

References

nsis.sourceforge.io/Docs/AppendixF.html

github.com/...ommit/8e6f02205d5f22da6c7855dbfe59b2af667330ca

github.com/...fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c

learn.microsoft.com/...pi/winbase/nf-winbase-gettempfilename

cve.org (CVE-2026-42171)

nvd.nist.gov (CVE-2026-42171)

Download JSON