Description
LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
Published: 2026-05-08
Score: 7.3 High
EPSS: 3.5% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an unsafe deserialization flaw in LINQPad’s AutoRefManager component, located in the PopulateFromCache method. By crafting a malicious cache payload, an attacker can trigger the deserialization routine and execute arbitrary code under the user’s account. The result is full compromise of confidentiality, integrity, and availability for the affected system.

Affected Systems

LINQPad Pro editions earlier than version 5.52.01 are vulnerable. All releases prior to this fix are considered at risk. No information is available about other editions or later versions.

Risk and Exploitability

The attack vector appears to be local, inferred from the fact that the deserialization occurs when a cache file is loaded during application startup or user activity. The CVSS score of 7.3 indicates a high severity level, while the EPSS score of 4% indicates a low but non‑zero likelihood of exploitation. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 9, 2026 at 15:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LINQPad to version 5.52.01 or newer, which removes the unsafe deserialization path.
  • If upgrading is not immediately possible, prevent the use of AutoRefManager’s PopulateFromCache by disabling automatic cache loading or ensuring that only trusted cache files are processed.
  • Audit and clean existing cache directories for tampered files and monitor for abnormal activity in the cache loading process.

Generated by OpenCVE AI on May 9, 2026 at 15:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 12 May 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Linqpad
Linqpad linqpad
Vendors & Products Linqpad
Linqpad linqpad

Sat, 09 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization Enabling Arbitrary Code Execution in LINQPad AutoRefManager

Fri, 08 May 2026 20:30:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization Enabling Arbitrary Code Execution in LINQPad AutoRefManager

Fri, 08 May 2026 19:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-502
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 16:00:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization in LINQPad AutoRefManager Allows Arbitrary Code Execution
Weaknesses CWE-502

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization in LINQPad AutoRefManager Allows Arbitrary Code Execution
Weaknesses CWE-502

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
References

Subscriptions

Linqpad Linqpad
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T19:07:17.134Z

Reserved: 2024-11-20T00:00:00.000Z

Link: CVE-2024-53326

cve-icon Vulnrichment

Updated: 2026-05-08T19:05:05.428Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T06:16:10.223

Modified: 2026-05-08T20:16:29.550

Link: CVE-2024-53326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T09:25:30Z

Weaknesses