CVE-2026-42171: NSIS Privilege Escalation Vulnerability
The National Vulnerability Database has disclosed CVE-2026-42171, a high-severity vulnerability (CVSS 7.8) affecting Nullsoft Scriptable Install System (NSIS) versions 3.06.1 before 3.12. This flaw, categorized as CWE-427 (Uncontrolled Search Path Element), allows local attackers to achieve privilege escalation. The vulnerability arises when NSIS, executing as SYSTEM, sometimes uses the Low IL (Integrity Level) temporary directory.
An attacker can exploit this by manipulating my_GetTempFileName to return zero, directing NSIS to a controlled low-integrity directory. This enables a local attacker to inject malicious code into the SYSTEM context, leading to arbitrary code execution with elevated privileges. While the National Vulnerability Database did not specify affected products beyond NSIS itself, any application utilizing vulnerable NSIS installers is implicitly at risk.
This is a classic local privilege escalation vector. Once an attacker has a foothold on a system, this vulnerability provides a clear path to SYSTEM-level control. Defenders must recognize that such flaws are often chained with initial access techniques, turning a low-privilege compromise into a full system takeover. The attacker’s calculus here is simple: leverage a common installer component to bypass security boundaries.
What This Means For You
- If your organization uses NSIS for software deployment or relies on applications built with NSIS installers, you need to verify the NSIS version immediately. Prioritize upgrading NSIS to version 3.12 or newer to mitigate CVE-2026-42171. Audit your endpoints for any vulnerable NSIS installations, especially on critical servers or developer workstations.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-42171: NSIS Privilege Escalation via Low IL Temp Directory
title: CVE-2026-42171: NSIS Privilege Escalation via Low IL Temp Directory
id: scw-2026-04-24-ai-1
status: experimental
level: high
description: |
Detects the execution of nsis.exe with command line arguments that suggest the use of the vulnerable my_GetTempFileName function, which can lead to privilege escalation by exploiting the Low IL temp directory when executed as SYSTEM. This is specific to CVE-2026-42171.
author: SCW Feed Engine (AI-generated)
date: 2026-04-24
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-42171/
tags:
- attack.privilege_escalation
- attack.t1574.002
logsource:
category: process_creation
detection:
selection:
Image|contains:
- 'nsis.exe'
CommandLine|contains:
- 'my_GetTempFileName'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-42171 | Privilege Escalation | NSIS (Nullsoft Scriptable Install System) versions before 3.12 |
| CVE-2026-42171 | Privilege Escalation | NSIS (Nullsoft Scriptable Install System) 3.06.1 |
| CVE-2026-42171 | Privilege Escalation | Vulnerable function: my_GetTempFileName returning 0 |
| CVE-2026-42171 | Privilege Escalation | Execution as SYSTEM using Low IL temp directory |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 25, 2026 at 01:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-41481 — Server-Side Request Forgery
CVE-2026-41481 — LangChain is a framework for building agents and LLM-powered applications. Prior to langchain-text-splitters 1.1.2, HTMLHeaderTextSplitter.split_text_from_url() validated the initial URL using validate_safe_url() but then...
Saltcorn SQL Injection (CVE-2026-41478) Exposes Sensitive Data
CVE-2026-41478 — Saltcorn is an extensible, open source, no-code database application builder. Prior to 1.4.6, 1.5.6, and 1.6.0-beta.5, a SQL injection vulnerability in Saltcorn’s mobile-sync...
CVE-2026-41248: Clerk Auth Bypass Exposes Critical Web Applications
CVE-2026-41248 — Clerk JavaScript is the official JavaScript repository for Clerk authentication. createRouteMatcher in @clerk/nextjs, @clerk/nuxt, and @clerk/astro can be bypassed by certain crafted requests,...