CVE-2026-42241
Deferred Deferred - Pending Action
Stack Overflow in ParquetSharp via Decimal Column Width

Publication date: 2026-05-07

Last updated on: 2026-05-07

Assigner: GitHub, Inc.

Description
ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-07
Last Modified
2026-05-07
Generated
2026-06-19
AI Q&A
2026-05-07
EPSS Evaluated
2026-06-18
NVD
CVE-2026-42241
EUVD
EUVD-2026-28430
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
g-research parquetsharp From 18.1.0 (inc) to 23.0.0.1 (exc)
g-research parquetsharp 23.0.0.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the ParquetSharp .NET library, specifically in the DecimalConverter.ReadDecimal method. The method uses stack allocation (stackalloc) with a size that can be controlled by an attacker through a decimal column width in a Parquet file. If an attacker supplies a decimal column with an unreasonably large width, it can cause a stack overflow.

This stack overflow can lead to crashes when the library reads untrusted Parquet files, especially in network service environments where such files are processed.

Compliance Impact

The vulnerability in ParquetSharp can lead to a stack overflow and potential service crashes when processing untrusted Parquet files with excessively large decimal type widths. While this primarily impacts service availability, there is no direct information provided about how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability arises when ParquetSharp reads untrusted Parquet files containing decimal columns with excessively large widths, causing a stack overflow. Detection involves monitoring for crashes or stack overflow errors in services using ParquetSharp versions between 18.1.0 and before 23.0.0.1 when processing Parquet files.

To detect potential exploitation or presence of the vulnerability, you can:

  • Check the version of ParquetSharp used in your application to ensure it is 23.0.0.1 or later, where the issue is fixed.
  • Monitor application logs for stack overflow exceptions or crashes occurring during Parquet file processing.
  • If you have access to the Parquet files being processed, inspect decimal column widths for unusually large values that could trigger the vulnerability.

There are no specific commands provided in the resources for detecting this vulnerability on a network or system. However, general approaches include:

  • Using process monitoring tools (e.g., Windows Event Viewer, Linux system logs) to detect crashes or stack overflow errors in the service.
  • Using debugging or profiling tools to trace stack usage during Parquet file processing.
  • Scanning your application dependencies to identify the ParquetSharp version in use, for example, by checking package manifests or using commands like `dotnet list package` in .NET projects.
Impact Analysis

If you use ParquetSharp to read untrusted Parquet files, an attacker could craft a file with a very wide decimal column to trigger a stack overflow.

This can cause the service or application processing the file to crash, potentially leading to denial of service.

The impact is limited to availability, with no direct impact on confidentiality or integrity.

Mitigation Strategies

To mitigate this vulnerability, you should update ParquetSharp to version 23.0.0.1 or later, which includes a fix that limits stack allocation size when reading decimal columns.

Additionally, avoid processing untrusted Parquet files with vulnerable versions of ParquetSharp to reduce the risk of stack overflow crashes.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42241. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart