CVE-2026-45785
Received Received - Intake

Infinite Loop in OpenMcdf Due to Cyclic Directory Entries

Vulnerability report for CVE-2026-45785, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-17

Last updated on: 2026-07-17

Assigner: GitHub, Inc.

Description

OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. In 3.1.3 and earlier, the BST name-lookup loop in DirectoryTree.TryGetDirectoryEntry (OpenMcdf/DirectoryTree.cs:35-46) walks directory entries by repeatedly calling directories.TryGetSibling(child, siblingType, validateColor). A crafted CFB file with cyclic Left/Right sibling links among directory entries, constructed so the per-step BST-order check in TryGetSibling (DirectoryEntries.cs:84-85) is satisfied at every step, drives this while (child is not null) loop forever. There is no cycle detection in TryGetDirectoryEntry, and the bug is reachable from RootStorage.OpenStorage(name), TryOpenStorage(name), OpenStream(name), and TryOpenStream(name), causing an unrecoverable denial of service. This issue is fixed in version 3.1.4.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-17
Last Modified
2026-07-17
Generated
2026-07-18
AI Q&A
2026-07-18
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
openmcf openmcf 3.1.4

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-835 The product contains an iteration or loop with an exit condition that cannot be reached, i.e., an infinite loop.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a denial of service issue in OpenMcdf, a .NET library for handling Compound File Binary files. It occurs due to an infinite loop in the BST name-lookup process caused by cyclic sibling links in crafted CFB files. The loop lacks cycle detection, leading to an unrecoverable hang when processing such files.

Detection Guidance

This vulnerability can be detected by checking the version of OpenMcdf in use. If you are running version 3.1.3 or earlier, the system is vulnerable. No specific commands are provided in the context to detect cyclic CFB files, but monitoring for excessive CPU or memory usage during file operations may indicate exploitation.

Impact Analysis

If exploited, this vulnerability could cause applications using OpenMcdf to freeze or crash when processing malicious CFB files. This results in denial of service, disrupting normal operations and potentially leading to data unavailability or service interruptions.

Compliance Impact

This vulnerability causes an unrecoverable denial of service by entering an infinite loop when processing crafted CFB files. While it does not directly expose or leak data, it could disrupt system availability, potentially impacting compliance with GDPR (availability principle) or HIPAA (accessibility and integrity requirements) if critical systems are affected.

Mitigation Strategies

Upgrade OpenMcdf to version 3.1.4 or later to address the vulnerability. Avoid processing untrusted CFB files until the update is applied. If immediate upgrading is not possible, restrict access to functions like RootStorage.OpenStorage, TryOpenStorage, OpenStream, and TryOpenStream to reduce exposure.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45785. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart