CVE-2026-42241 - Vulnerability Details

Description

ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1.

Published: 2026-05-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

ParquetSharp is a .NET library used for reading and writing Apache Parquet files. Between versions 18.1.0 and 23.0.0.1, the DecimalConverter.ReadDecimal function performs a stack allocation using a value supplied in the file. An attacker can construct a Parquet file that declares a decimal column with an unusually large width. When the library reads the file, it tries to allocate an overly large buffer on the stack, which can overflow and cause the process to crash. This type of flaw is classified as CWE‑789 and results in a denial‑of‑service outcome rather than privilege escalation or data exposure.

Affected Systems

The vulnerability affects the G‑Research ParquetSharp library. All versions from 18.1.0 up to, but not including, 23.0.0.1 are vulnerable. Applications that use any of these versions to read untrusted Parquet files in a network service environment are at risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate risk. Because the exploit is achieved through the ingestion of a malformed Parquet file, an attacker who can supply such a file to a service that processes Parquet files can trigger the stack overflow. The EPSS score is not available, and the flaw is not listed in CISA’s KEV catalog. The attack vector is inferred to be the upload or reception of a crafted Parquet file by a network service that relies on ParquetSharp.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

G-Research

ParquetSharp

affected

Version	Status	Constraints
`>= 18.1.0, < 23.0.0.1`	affected	—

No data.

Vendor Product Confidence Versions

G-research

Parquetsharp

100%

Version	Status	Scheme	Platform
`[18.1.0,23.0.0.1)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the ParquetSharp library to version 23.0.0.1 or later to eliminate the stack allocation flaw
If an upgrade is not immediately possible, isolate the service from untrusted file input and implement strict file validation or size limits before passing data to ParquetSharp
Monitor the service for sudden crashes or memory errors and set up alerts to detect potential exploitation attempts

Generated by OpenCVE AI on May 7, 2026 at 20:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-rrjr-v56m-ww88	ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00039.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1
https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88

History

Thu, 07 May 2026 21:45:00 +0000

Type	Values Removed	Values Added
First Time appeared		G-research G-research parquetsharp
Vendors & Products		G-research G-research parquetsharp

Thu, 07 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1.
Title		ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width
Weaknesses		CWE-789
References		https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1 https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}`

Subscriptions

G-research Parquetsharp

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-05-07T18:52:06.773Z

Updated: 2026-05-07T18:52:06.773Z

Reserved: 2026-04-25T05:37:12.118Z

Link: CVE-2026-42241

Vulnrichment

No data.

NVD

Status : Deferred

Published: 2026-05-07T20:16:44.247

Modified: 2026-05-07T20:37:54.060

Link: CVE-2026-42241

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-07T21:24:24Z

Weaknesses

CWE-789

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact Low

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object