Description
LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
Published: 2026-05-08
Score: n/a
EPSS: 2.9% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability is an instance of unsafe deserialization in LINQPad’s AutoRefManager component, specifically in the PopulateFromCache() method. The flaw allows an attacker to execute arbitrary code within the context of a user’s environment. It aligns with CWE‑502: Deserialization of Untrusted Data, which can lead to full compromise of confidentiality, integrity, and availability for the affected system.

Affected Systems

LINQPad Pro edition versions prior to 5.52.01 are affected. All earlier releases must be considered vulnerable. No data is available about other editions or versions.

Risk and Exploitability

The CVSS score is not provided, and EPSS data is unavailable, so the exact likelihood of exploitation is unclear. Since the vulnerability involves deserialization of cache data, it is likely exploitable when a user opens a crafted cache file, making the attack vector local rather than remote. The vulnerability is not listed in the CISA KEV catalog.

Generated by OpenCVE AI on May 8, 2026 at 06:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LINQPad to version 5.52.01 or newer, which removes the unsafe deserialization path.
  • If upgrading is not immediately possible, prevent the use of AutoRefManager’s PopulateFromCache by disabling automatic cache loading or ensuring that only trusted cache files are processed.
  • Audit and clean existing cache directories for tampered files and monitor for abnormal activity in the cache loading process.

Generated by OpenCVE AI on May 8, 2026 at 06:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 06:45:00 +0000

Type Values Removed Values Added
Title Unsafe Deserialization in LINQPad AutoRefManager Allows Arbitrary Code Execution
Weaknesses CWE-502

Fri, 08 May 2026 05:45:00 +0000

Type Values Removed Values Added
Description LINQPad before 5.52.01 Pro edition is vulnerable to Unsafe Deserialization in LINQPad.AutoRefManager::PopulateFromCache(), leading to code execution.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-08T05:31:16.573Z

Reserved: 2024-11-20T00:00:00.000Z

Link: CVE-2024-53326

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T06:16:10.223

Modified: 2026-05-08T06:16:10.223

Link: CVE-2024-53326

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T06:30:46Z

Weaknesses