Description
OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
Published: 2026-05-08
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenMcdf, a .NET library for manipulating Compound File Binary files, contains a flaw where it does not detect cycles in its directory entry red‑black tree. A crafted CFB file that includes a cycle in the LeftSiblingID / RightSiblingID chain causes the library’s Storage.EnumerateEntries() and Storage.OpenStream() methods to spin in an infinite loop. This consumes the calling thread’s CPU and memory resources with no recovery path, resulting in a denial of service.

Affected Systems

Affected systems are applications that integrate the Ironfede OpenMcdf library versions earlier than 3.1.3. The library is distributed by Ironfede and can be found in the open‑source repository. Any .NET or C# component that loads or parses CFB documents using the old OpenMcdf code is vulnerable until it is updated to 3.1.3 or later.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. Because the exploit requires an attacker to supply a malicious CFB file to a code path that uses OpenMcdf, it is considered a local or application‑level attack vector, inferred from the library’s usage context. The EPSS score is not available, and the vulnerability is not listed in KEV, suggesting that while exploitation is feasible, it may not be actively used in the wild yet.

Generated by OpenCVE AI on May 8, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenMcdf library to version 3.1.3 or later.
  • If upgrading is not possible, remove or replace any component that loads untrusted CFB files, or isolate such processing in a sandboxed environment to limit impact.
  • Apply the patch from commit 24f445a557fc4f46461cf6d02d296cce16c293a0 as an interim fix if the library cannot be immediately updated.

Generated by OpenCVE AI on May 8, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxpf-xq2m-q525 OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle
History

Mon, 11 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Sun, 10 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Ironfede
Ironfede openmcdf
Vendors & Products Ironfede
Ironfede openmcdf

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
Title OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Ironfede Openmcdf
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-11T18:45:06.128Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41511

cve-icon Vulnrichment

Updated: 2026-05-11T18:44:48.757Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T19:16:31.363

Modified: 2026-05-13T17:26:28.013

Link: CVE-2026-41511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-10T21:24:56Z

Weaknesses