CVE-2026-42171

HIGH CVSS 7.8 View on NVD ↗

Description

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

References

https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484
https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca
https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename
https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl

Published: Apr 24, 2026 22:16 UTC Modified: Apr 24, 2026 22:16 UTC