Description
Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. This vulnerability is fixed in 1.3.1.
Published: 2026-05-12
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Snappier, a high-performance C# implementation of the Snappy compression algorithm, contains a flaw in SnappyStream that causes an uncatchable infinite loop when decompressing a malformed framed-format stream as small as 15 bytes. The loop consumes CPU and memory until the process or system becomes unresponsive, resulting in a denial‑of‑service condition for the application that processes the data.

Affected Systems

The vulnerability affects versions of the Snappier library released before 1.3.1, distributed under the brantburnett:Snappier vendor. Any project that references Snappier.SnappyStream without upgrading to 1.3.1 or later is at risk.

Risk and Exploitability

With a CVSS score of 7.5, the flaw is considered high severity. The EPSS score is not available, so the probability of exploitation in the wild is unknown, yet the issue is not listed in the CISA KEV catalog. An attacker could send or supply a carefully crafted, malformed Snappy stream to the vulnerable application, triggering the infinite loop. The attack requires no special privileges and can be performed remotely if the application accepts external compressed data. Successful exploitation results in process or system denial of service.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Snappier to version 1.3.1 or later to apply the fix.
  • If upgrading immediately is not possible, validate incoming Snappy streams against the framed format specification before decompression to reject malformed frames.
  • Avoid exposing the SnappyStream interface to untrusted or external inputs; isolate or sandbox decompression operations when possible.

Generated by OpenCVE AI on May 12, 2026 at 23:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-pggp-6c3x-2xmx Snappier has an infinite loop during SnappyStream decompression with malformed framed input
History

Mon, 18 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 May 2026 11:00:00 +0000

Type Values Removed Values Added
First Time appeared Brantburnett
Brantburnett snappier
Vendors & Products Brantburnett
Brantburnett snappier

Tue, 12 May 2026 22:00:00 +0000

Type Values Removed Values Added
Description Snappier is a high performance C# implementation of the Snappy compression algorithm. Prior to 1.3.1, Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. This vulnerability is fixed in 1.3.1.
Title Snappier: Infinite loop in SnappyStream decompression on malformed framed input
Weaknesses CWE-835
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Brantburnett Snappier
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-18T15:10:25.995Z

Reserved: 2026-05-05T17:39:31.113Z

Link: CVE-2026-44302

cve-icon Vulnrichment

Updated: 2026-05-18T15:10:21.865Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T22:16:36.997

Modified: 2026-05-18T16:16:31.397

Link: CVE-2026-44302

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-13T10:35:24Z

Weaknesses