OpenMcdf CVE-2026-41511
MEDIUMSeverity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionGitHub Advisory
Summary
OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch.
Details
CFB directory entries form a red-black tree linked by LeftSiblingID and RightSiblingID fields. OpenMcdf's DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry traverse this tree without tracking visited node IDs, so a crafted cycle (e.g. entry A's RightSiblingID points to entry B, and entry B's LeftSiblingID points back to entry A) causes traversal to loop indefinitely.
Two distinct code paths are affected:
Storage.EnumerateEntries()-DirectoryTreeEnumerator.MoveNext()never returnsfalse; the same entry is yielded on every iteration and the caller'sforeachnever exits. Heap grows unboundedly as entries accumulate.Storage.OpenStream()-DirectoryTree.TryGetDirectoryEntryloops indefinitely insideDirectoryEntries.TryGetSiblingduring the name lookup.
PoC
A crafted CFB file with a sibling cycle (see attached) triggers the issue with the following code:
using OpenMcdf;
using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb"));
using var root = RootStorage.Open(ms);
// Never returns - EnumerateEntries loops indefinitely
foreach (var entry in root.EnumerateEntries())
{
Console.WriteLine(entry.Name);
if (entry.Type == EntryType.Stream)
root.OpenStream(entry.Name); // also hangs depending on the cycle structure
}Impact
A denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input carrying a valid CFB magic header (D0 CF 11 E0 A1 B1 1A E1) is sufficient to pass initial format validation and reach the vulnerable traversal code. No exception is thrown, so try/catch cannot protect callers. The affected thread is unrecoverable without killing the process.
AnalysisAI
OpenMcdf fails to detect cycles in Compound File Binary (CFB) directory entry red-black trees, causing indefinite loops in Storage.EnumerateEntries() and Storage.OpenStream() when processing crafted CFB files with sibling ID cycles. This denial-of-service vulnerability consumes the calling thread permanently with no recovery path via exception handling, affecting any application opening untrusted CFB documents. Patch available in version 3.1.3.
Technical ContextAI
OpenMcdf is a .NET library for parsing Microsoft Compound File Binary (CFB) documents, a legacy container format used by Office 97-2003, OLE, and other Microsoft applications. CFB files organize directory entries as red-black trees with left and right sibling pointers (LeftSiblingID and RightSiblingID fields). The vulnerability exists in DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry methods, which traverse this tree structure without maintaining a set of visited node IDs to detect cycles. When a crafted CFB file contains circular references (e.g., entry A's RightSiblingID points to B, and B's LeftSiblingID points back to A), the traversal enters an infinite loop. The root cause is CWE-835 (Loop with Unreachable Exit Condition), where the sibling-following logic assumes the tree is acyclic and will eventually reach a null terminator.
RemediationAI
Upgrade OpenMcdf to version 3.1.3 or later. The patch (commit 24f445a557fc4f46461cf6d02d296cce16c293a0) adds cycle detection to DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry by tracking visited node IDs during tree traversal, preventing infinite loops. For applications unable to upgrade immediately, implement a timeout wrapper around Storage.EnumerateEntries() and Storage.OpenStream() calls-wrap these methods with a cancellation token using Task.Run with a timeout (e.g., 5 seconds); if exceeded, abort the operation and log the malformed CFB file. This workaround has a trade-off: legitimate large CFB files with deep tree structures may trigger false timeouts if the timeout is too aggressive. Additionally, validate CFB file sources: reject CFB files from untrusted sources unless they have been scanned by a dedicated CFB parser validator (not a general antivirus, which may not detect malformed directory trees). Patch source: https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3
Same technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-jxpf-xq2m-q525