CVE-2026-41511 Overview
CVE-2026-41511 is an infinite loop vulnerability in OpenMcdf, a .NET/C# library for manipulating Compound File Binary (CFB) Format files (Structured Storage). Versions prior to 3.1.3 do not detect cycles in the directory entry red-black tree of a CFB document. A crafted CFB file containing a cycle in the LeftSiblingID or RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely. The affected thread consumes CPU resources with no possibility of recovery through try/catch. Maintainers patched the issue in version 3.1.3 by introducing Brent's cycle detection algorithm. The flaw is tracked under [CWE-835: Loop with Unreachable Exit Condition].
Critical Impact
An attacker supplying a malformed CFB document can force any application using OpenMcdf to hang a worker thread, producing a denial-of-service condition.
Affected Products
- OpenMcdf library versions prior to 3.1.3
- .NET / C# applications consuming OpenMcdf for CFB / Structured Storage parsing
- Downstream tooling that opens untrusted Compound File Binary documents through OpenMcdf
Discovery Timeline
- 2026-05-08 - CVE-2026-41511 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-41511
Vulnerability Analysis
OpenMcdf parses CFB documents by walking a red-black tree of DirectoryEntry records. Each node references siblings through LeftSiblingID and RightSiblingID fields. The enumerator in DirectoryTreeEnumerator.cs assumed these references form an acyclic structure. When a crafted file points two siblings at one another, traversal never terminates. The calling thread remains stuck inside Storage.EnumerateEntries() or Storage.OpenStream(). Because the loop performs no allocation or boundary checks that would raise an exception, try/catch blocks around the call cannot interrupt it. The only recovery option is process termination.
Root Cause
The root cause is missing cycle detection during directory tree traversal. CFB files are attacker-controlled input in many workflows, including email attachments, document conversion pipelines, and forensic tooling. The parser trusted sibling pointers without validating tree invariants, allowing a self-referencing or mutually referencing pair of nodes to create an unreachable exit condition.
Attack Vector
Exploitation requires the target application to open a crafted CFB file with OpenMcdf. The attack vector is local because the malicious document must be delivered to the parsing process. No authentication or user interaction beyond opening the file is needed. Successful exploitation exhausts a CPU core and may stall higher-level services such as document indexers, antivirus scanners, or backup tooling that batch-process untrusted CFB inputs.
private readonly Stack<DirectoryEntry> stack = new();
DirectoryEntry? current;
+ // Brent's cycle detection algorithm
+ uint cycleLength = 1;
+ uint power = 1;
+ uint slowId = StreamId.NoStream;
+
internal DirectoryTreeEnumerator(DirectoryEntries directories, DirectoryEntry root)
{
this.directories = directories;
Source: GitHub Commit 24f445a — the patch introduces Brent's algorithm to detect cycles during directory tree enumeration.
Detection Methods for CVE-2026-41511
Indicators of Compromise
- A .NET process consuming OpenMcdf shows sustained 100% utilization on a single CPU core while parsing a CFB document.
- Application logs record entry into Storage.EnumerateEntries() or Storage.OpenStream() without a corresponding completion event.
- Thread dumps reveal a thread looping inside DirectoryTreeEnumerator frames in OpenMcdf assemblies.
Detection Strategies
- Inventory .NET applications and dependencies to identify any reference to OpenMcdf at versions below 3.1.3.
- Monitor processes that ingest CFB inputs (.doc, .xls, .msi, .msg) for long-running threads that never return from parsing routines.
- Correlate file-handling telemetry with CPU spikes localized to a single thread to surface candidate hangs.
Monitoring Recommendations
- Set per-operation timeouts on CFB parsing calls and alert when timeouts trigger repeatedly on similar inputs.
- Track exceptions and watchdog terminations in services that process user-supplied documents in bulk.
- Capture and retain the offending file when a parsing hang is detected to support root-cause analysis.
How to Mitigate CVE-2026-41511
Immediate Actions Required
- Upgrade the OpenMcdf NuGet package to version 3.1.3 or later across all build pipelines and deployed services.
- Rebuild and redeploy any application that statically references vulnerable OpenMcdf assemblies.
- Audit third-party components that embed OpenMcdf and request updated builds where necessary.
Patch Information
The fix is published in GitHub Release v3.1.3 and described in GHSA-jxpf-xq2m-q525. The corresponding source change is in commit 24f445a, which adds Brent's cycle detection algorithm to DirectoryTreeEnumerator.
Workarounds
- Run CFB parsing inside a dedicated worker process or sandbox that can be terminated when a watchdog timer expires.
- Reject CFB inputs from untrusted sources until the upgrade to 3.1.3 is deployed.
- Apply strict file-size and processing-time quotas to any service that opens user-supplied Structured Storage files.
# Upgrade OpenMcdf via the .NET CLI
dotnet add package OpenMcdf --version 3.1.3
# Verify the resolved version
dotnet list package | grep -i OpenMcdf
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
