CVE-2026-42171

HIGH

Nullsoft Scriptable Install System <3.12 - Privilege Escalation

Title source: llm

Description

NSIS (Nullsoft Scriptable Install System) 3.06.1 before 3.12 sometimes uses the Low IL temp directory when executing as SYSTEM, allowing local attackers to gain privileges (if they can cause my_GetTempFileName to return 0, as shown in the references).

References (4)

https://nsis.sourceforge.io/Docs/AppendixF.html#v3.12-cl

https://github.com/NSIS-Dev/nsis/commit/8e6f02205d5f22da6c7855dbfe59b2af667330ca

https://github.com/NSIS-Dev/nsis/blob/7359413009afd4f0fff472d841fc2f2cc0e0a5f8/Source/exehead/util.c#L475-L484

View Writeup ZIP pw:eip

https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-gettempfilename

Scores

CVSS v3 7.8

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Details

CWE

CWE-427

Status published

Products (1)

Nullsoft/Nullsoft Scriptable Install System 3.06.1 - 3.12

Published Apr 24, 2026

Tracked Since Apr 24, 2026