Description
OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
Published: 2026-05-08
Score: 6.2 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

OpenMcdf, a .NET library for manipulating Compound File Binary files, contains a flaw where it does not detect cycles in its directory entry red‑black tree. A crafted CFB file that includes a cycle in the LeftSiblingID / RightSiblingID chain causes the library’s Storage.EnumerateEntries() and Storage.OpenStream() methods to spin in an infinite loop. This consumes the calling thread’s CPU and memory resources with no recovery path, resulting in a denial of service.

Affected Systems

Affected systems are applications that integrate the Ironfede OpenMcdf library versions earlier than 3.1.3. The library is distributed by Ironfede and can be found in the open‑source repository. Any .NET or C# component that loads or parses CFB documents using the old OpenMcdf code is vulnerable until it is updated to 3.1.3 or later.

Risk and Exploitability

The CVSS score of 6.2 indicates moderate severity. Because the exploit requires an attacker to supply a malicious CFB file to a code path that uses OpenMcdf, it is considered a local or application‑level attack vector, inferred from the library’s usage context. The EPSS score is not available, and the vulnerability is not listed in KEV, suggesting that while exploitation is feasible, it may not be actively used in the wild yet.

Generated by OpenCVE AI on May 8, 2026 at 20:30 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the OpenMcdf library to version 3.1.3 or later.
  • If upgrading is not possible, remove or replace any component that loads untrusted CFB files, or isolate such processing in a sandboxed environment to limit impact.
  • Apply the patch from commit 24f445a557fc4f46461cf6d02d296cce16c293a0 as an interim fix if the library cannot be immediately updated.

Generated by OpenCVE AI on May 8, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-jxpf-xq2m-q525 OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle
History

Fri, 08 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
Title OpenMcdf has an Infinite loop DoS via crafted CFB directory cycle
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 6.2, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T18:52:39.438Z

Reserved: 2026-04-20T18:18:50.681Z

Link: CVE-2026-41511

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-08T19:16:31.363

Modified: 2026-05-08T19:16:31.363

Link: CVE-2026-41511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T20:45:16Z

Weaknesses