OpenMcdf CVE-2026-41511

MEDIUM
Loop with Unreachable Exit Condition (Infinite Loop) (CWE-835)
2026-04-22 https://github.com/openmcdf/openmcdf GHSA-jxpf-xq2m-q525
Denial Of Service
6.2
CVSS 3.1
Share

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

1
Analysis Generated
Apr 23, 2026 - 07:06 vuln.today

DescriptionNVD

Summary

OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch.

Details

CFB directory entries form a red-black tree linked by LeftSiblingID and RightSiblingID fields. OpenMcdf's DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry traverse this tree without tracking visited node IDs, so a crafted cycle (e.g. entry A's RightSiblingID points to entry B, and entry B's LeftSiblingID points back to entry A) causes traversal to loop indefinitely.

Two distinct code paths are affected:

  • Storage.EnumerateEntries() - DirectoryTreeEnumerator.MoveNext() never returns false; the same entry is yielded on every iteration and the caller's foreach never exits. Heap grows unboundedly as entries accumulate.
  • Storage.OpenStream() - DirectoryTree.TryGetDirectoryEntry loops indefinitely inside DirectoryEntries.TryGetSibling during the name lookup.

PoC

A crafted CFB file with a sibling cycle (see attached) triggers the issue with the following code:

csharp
using OpenMcdf;

using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb"));
using var root = RootStorage.Open(ms);

// Never returns - EnumerateEntries loops indefinitely
foreach (var entry in root.EnumerateEntries())
{
    Console.WriteLine(entry.Name);

    if (entry.Type == EntryType.Stream)
        root.OpenStream(entry.Name); // also hangs depending on the cycle structure
}

Impact

A denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input carrying a valid CFB magic header (D0 CF 11 E0 A1 B1 1A E1) is sufficient to pass initial format validation and reach the vulnerable traversal code. No exception is thrown, so try/catch cannot protect callers. The affected thread is unrecoverable without killing the process.

AnalysisAI

OpenMcdf fails to detect cycles in Compound File Binary (CFB) directory entry red-black trees, causing indefinite loops in Storage.EnumerateEntries() and Storage.OpenStream() when processing crafted CFB files with sibling ID cycles. This denial-of-service vulnerability consumes the calling thread permanently with no recovery path via exception handling, affecting any application opening untrusted CFB documents. …

Sign in for full analysis, threat intelligence, and remediation guidance.

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Sign in - Free

Share

CVE-2026-41511 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy