VYPR
Get started
← All advisories
Medium severity6.2NVD Advisory· Published May 8, 2026· Updated May 13, 2026

CVE-2026-41511

CVE-2026-41511

Description

OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
OpenMcdfNuGet
< 3.1.33.1.3

Affected products

1

Patches

1
24f445a557fc

Detect directory tree cycles with Brent's algorithm

https://github.com/openmcdf/openmcdfJeremy PowellApr 14, 2026via ghsa
commit
1 file changed · +21 0
  • OpenMcdf/DirectoryTreeEnumerator.cs+21 0 modified
    @@ -12,6 +12,11 @@ internal sealed class DirectoryTreeEnumerator : IEnumerator<DirectoryEntry>
     private readonly Stack<DirectoryEntry> stack = new();
     DirectoryEntry? current;
 
+    // Brent's cycle detection algorithm
+    uint cycleLength = 1;
+    uint power = 1;
+    uint slowId = StreamId.NoStream;
+
     internal DirectoryTreeEnumerator(DirectoryEntries directories, DirectoryEntry root)
     {
         this.directories = directories;
@@ -44,6 +49,19 @@ public bool MoveNext()
         }
 
         current = stack.Pop();
+
+        if (current.Id == slowId && slowId != StreamId.NoStream)
+            throw new FileFormatException("Directory tree contains a loop.");
+
+        if (cycleLength == power)
+        {
+            cycleLength = 0;
+            power *= 2;
+            slowId = current.Id;
+        }
+
+        cycleLength++;
+
         DirectoryEntry? rightSibling = directories.TryGetSibling(current, SiblingType.Right, false);
         if (rightSibling is not null)
             PushLeft(rightSibling);
@@ -56,6 +74,9 @@ public void Reset()
     {
         current = null;
         stack.Clear();
+        cycleLength = 1;
+        power = 1;
+        slowId = StreamId.NoStream;
         if (root.ChildId != StreamId.NoStream)
         {
             DirectoryEntry child = directories.GetDictionaryEntry(root.ChildId);

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.