Cyber Resilience

CVE-2026-42171

HighUpdated

Published: 24 April 2026

Published
24 April 2026
Modified
18 May 2026
KEV Added
Patch
CVSS Score v3.1 7.8 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0001 0.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42171 is a high-severity Uncontrolled Search Path Element (CWE-427) vulnerability in Nullsoft Nullsoft Scriptable Install System. Its CVSS base score is 7.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploitation for Privilege Escalation (T1068); ranked at the 0.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-10 (Software Usage Restrictions) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-42171 is a local privilege escalation vulnerability (CWE-427: Untrusted Search Path) affecting NSIS (Nullsoft Scriptable Install System) versions 3.06.1 through 3.11.x. The flaw occurs when NSIS executables running with SYSTEM privileges sometimes use the Low Integrity Level (IL) temporary directory instead of a secure path. This happens if the custom my_GetTempFileName function returns 0, as demonstrated in the source code at util.c lines 475-484, allowing unintended file placement and execution in a low-privilege context.

Local unprivileged attackers (PR:N) can exploit this vulnerability with low complexity (AC:L) but require user interaction (UI:R), such as convincing a user to run a malicious NSIS installer. Successful exploitation enables high-impact confidentiality, integrity, and availability violations (C:H/I:H/A:H), resulting in privilege escalation to SYSTEM level by manipulating temp file creation in the Low IL directory.

Mitigation involves upgrading to NSIS 3.12 or later, where the issue is addressed via changes documented in the release notes (Appendix F) and a specific commit (8e6f022) that fixes the temp file handling logic. Additional context on safe temp file APIs is available in Microsoft documentation for GetTempFileName. No public advisories detail active exploitation.

EU & UK References

Vulnerability details

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
Why these techniques?

The CVE describes a local privilege escalation vulnerability in NSIS via untrusted search path in temp file handling, directly enabling T1068 Exploitation for Privilege Escalation when a malicious installer is executed.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-23741Shared CWE-427
CVE-2026-4134Shared CWE-427
CVE-2026-2361Shared CWE-427
CVE-2026-2360Shared CWE-427
CVE-2026-23740Shared CWE-427
CVE-2024-9495Shared CWE-427
CVE-2026-24502Shared CWE-427
CVE-2025-48503Shared CWE-427
CVE-2026-34054Shared CWE-427
CVE-2025-24998Shared CWE-427

Affected Assets

nullsoft
nullsoft scriptable install system
3.06.1 — 3.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Remediating the specific flaw in NSIS versions 3.06.1 through 3.11.x by upgrading to 3.12 or later directly fixes the improper temporary file handling that enables privilege escalation.

prevent

Authorizing and restricting software usage to only approved versions prevents execution of vulnerable NSIS installers that exploit the low integrity level temp directory issue.

prevent

Enforcing least privilege limits NSIS processes from running as SYSTEM unnecessarily, reducing the privilege escalation potential when using untrusted low IL temporary directories.

References