CVE-2026-41511
Infinite Loop in OpenMcdf Due to Undetected Directory Entry Cycles
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| openmcdf | openmcdf | to 3.1.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-835 | The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in OpenMcdf, a .NET/C# library used to manipulate Compound File Binary (CFB) files. Before version 3.1.3, the library does not detect cycles in the directory entry red-black tree structure of a CFB document. A specially crafted CFB file containing a cycle in the LeftSiblingID / RightSiblingID chain can cause the methods Storage.EnumerateEntries() and Storage.OpenStream() to enter an infinite loop.
This infinite loop consumes the calling thread indefinitely and cannot be recovered from using try/catch blocks. The issue was fixed in version 3.1.3 of OpenMcdf.
How can this vulnerability impact me? :
The vulnerability can cause a denial of service condition by making the application using OpenMcdf hang indefinitely when processing a maliciously crafted CFB file. This happens because the application thread gets stuck in an infinite loop and cannot recover, potentially leading to resource exhaustion and unavailability of the affected functionality.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, update OpenMcdf to version 3.1.3 or later, where the issue has been patched.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in OpenMcdf allows a crafted Compound File Binary (CFB) file to cause an infinite loop, leading to a denial of service by consuming the calling thread indefinitely.
This denial of service could impact the availability of applications processing untrusted CFB files, which may affect compliance with standards and regulations that require maintaining system availability and reliability, such as GDPR and HIPAA.
However, there is no direct information provided about specific impacts on data confidentiality or integrity, or explicit references to compliance with these standards.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves an infinite loop caused by crafted Compound File Binary (CFB) files with cycles in the directory entry red-black tree. Detection involves identifying if OpenMcdf is processing such malicious CFB files that cause Storage.EnumerateEntries() or Storage.OpenStream() to loop indefinitely.
Since the issue is triggered by crafted CFB files, detection on your system can be done by monitoring for processes using OpenMcdf that hang or consume excessive CPU when handling CFB files.
There are no specific commands provided in the resources to detect this vulnerability directly on a network or system.
However, as a practical approach, you can:
- Monitor application logs or behavior for hangs or infinite loops when processing CFB files.
- Use process monitoring tools (e.g., top, htop on Linux; Task Manager or Process Explorer on Windows) to detect high CPU usage by applications using OpenMcdf.
- If you have access to the source or debugging environment, you could add logging around Storage.EnumerateEntries() and Storage.OpenStream() calls to detect repeated iterations or hangs.
To prevent exploitation, ensure OpenMcdf is updated to version 3.1.3 or later, where cycle detection is implemented.