CVE-2026-42171

HIGH

Nullsoft Scriptable Install System <3.12 - Privilege Escalation

Title source: llm

Description

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

References (4)

Core 4

Core References

https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl

https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca

View Patch ZIP pw:eip

https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484

View Writeup ZIP pw:eip

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename

Scores

CVSS v3 7.8

EPSS 0.0021

EPSS Percentile 11.1%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-427

Status published

Products (2)

Nullsoft/Nullsoft Scriptable Install System 3.06.1 - 3.12

nullsoft/nullsoft_scriptable_install_system 3.06.1 - 3.12

Published Apr 24, 2026

Tracked Since Apr 24, 2026