Skip to main content

ParquetSharp CVE-2026-42241

| EUVDEUVD-2026-28430 MEDIUM
Memory Allocation with Excessive Size Value (CWE-789)
2026-05-07 GitHub_M
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
Low

Lifecycle Timeline

3
Source Code Evidence Fetched
May 07, 2026 - 20:01 vuln.today
Analysis Generated
May 07, 2026 - 20:01 vuln.today
CVE Published
May 07, 2026 - 18:52 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1.

AnalysisAI

Stack overflow in ParquetSharp versions 18.1.0 through 23.0.0.0 allows remote unauthenticated attackers to cause denial of service by supplying a maliciously crafted Parquet file with a decimal column declaring an unreasonably large width, triggering unbounded stack allocation in the DecimalConverter.ReadDecimal method. This impacts network services that parse untrusted Parquet files. The vulnerability has been patched in version 23.0.0.1.

Technical ContextAI

ParquetSharp is a .NET wrapper around the Apache Parquet C++ library, enabling read/write operations on Parquet columnar data files. The vulnerability exists in the DecimalConverter.ReadDecimal method, which uses stackalloc (a C

construct for stack-allocated memory) without validating the width parameter of decimal columns before allocation. The decimal width value is read from the Parquet file metadata, making it attacker-controllable when processing untrusted files. The root cause is CWE-789 (Memory Allocation with Excessive Size Value), where the application fails to constrain the size of stack memory allocation based on external input. An attacker can craft a Parquet file with a decimal column type specifying an arbitrarily large width, causing stackalloc to request excessive stack memory, triggering a stack overflow exception and crashing the application. This affects specifically the .NET runtime environment hosting ParquetSharp-based services.

RemediationAI

Upgrade ParquetSharp to version 23.0.0.1 or later immediately. This patched version applies a limit on stackalloc size when reading decimal columns, preventing attackers from specifying unbounded width values. For applications unable to upgrade immediately, implement strict input validation on Parquet files before parsing: reject files containing decimal columns with width values exceeding a reasonable threshold (e.g., 38 digits, the maximum precision of .NET decimal type). Additionally, configure ParquetSharp parsing in a sandboxed or isolated process with limited stack size, such that a stack overflow terminates only the worker process rather than the entire service, allowing graceful error handling. Monitor Parquet file sources and restrict file ingestion to trusted suppliers where feasible. The patch version 23.0.0.1 is available at https://www.nuget.org/packages/ParquetSharp/23.0.0.1 and via GitHub at https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1.

Share

CVE-2026-42241 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy