nano Format String Vulnerability: Statusline DoS
CVE-2026-6843 Published on April 22, 2026

Nano: nano: format string vulnerability leads to denial of service
A flaw was found in nano. A local user could exploit a format string vulnerability in the `statusline()` function. By creating a directory with a name containing `printf` specifiers, the application attempts to display this name, leading to a segmentation fault (SEGV). This results in a Denial of Service (DoS) for the `nano` application.

NVD

Vulnerability Analysis

CVE-2026-6843 can be exploited with local system access, requires user interaction. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have no impact on confidentiality and integrity, and a high impact on availability.

Attack Vector:
LOCAL
Attack Complexity:
LOW
Privileges Required:
NONE
User Interaction:
REQUIRED
Scope:
UNCHANGED
Confidentiality Impact:
NONE
Integrity Impact:
NONE
Availability Impact:
HIGH

Timeline

Reported to Red Hat.

Made public.

Weakness Type

Use of Externally-Controlled Format String

The software uses a function that accepts a format string as an argument, but the format string originates from an external source.


Products Associated with CVE-2026-6843

stack.watch emails you whenever new vulnerabilities are published in Red Hat Enterprise Linux (RHEL) or Red Hat Openshift. Just hit a watch button to start following.

Red Hat Enterprise Linux (RHEL)
 
Red Hat Openshift
 

Affected Versions

Red Hat Enterprise Linux 10: Red Hat Enterprise Linux 6: Red Hat Enterprise Linux 7: Red Hat Enterprise Linux 8: Red Hat Enterprise Linux 9: Red Hat OpenShift Container Platform 4: