CVE-2026-42171
Published: 24 April 2026
Summary
CVE-2026-42171 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Microsoft (inferred from references). Its CVSS base score is 7.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Remediating the specific flaw in NSIS versions 3.06.1 through 3.11.x by upgrading to 3.12 or later directly fixes the improper temporary file handling that enables privilege escalation.
Authorizing and restricting software usage to only approved versions prevents execution of vulnerable NSIS installers that exploit the low integrity level temp directory issue.
Enforcing least privilege limits NSIS processes from running as SYSTEM unnecessarily, reducing the privilege escalation potential when using untrusted low IL temporary directories.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a local privilege escalation vulnerability in NSIS via untrusted search path in temp file handling, directly enabling T1068 Exploitation for Privilege Escalation when a malicious installer is executed.
NVD Description
NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).
Deeper analysisAI
CVE-2026-42171 is a local privilege escalation vulnerability (CWE-427: Untrusted Search Path) affecting NSIS (Nullsoft Scriptable Install System) versions 3.06.1 through 3.11.x. The flaw occurs when NSIS executables running with SYSTEM privileges sometimes use the Low Integrity Level (IL) temporary directory instead of a secure path. This happens if the custom my_GetTempFileName function returns 0, as demonstrated in the source code at util.c lines 475-484, allowing unintended file placement and execution in a low-privilege context.
Local unprivileged attackers (PR:N) can exploit this vulnerability with low complexity (AC:L) but require user interaction (UI:R), such as convincing a user to run a malicious NSIS installer. Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), resulting in privilege escalation to SYSTEM level by manipulating temp file creation in the Low IL directory.
Mitigation involves upgrading to NSIS 3.12 or later, where the issue is addressed via changes documented in the release notes (Appendix F) and a specific commit (8e6f022) that fixes the temp file handling logic. Additional context on safe temp file APIs is available in Microsoft documentation for GetTempFileName. No public advisories detail active exploitation.
Details
- CWE(s)