Listen to this Post
The vulnerability resides in `Snappier.SnappyStream` – a .NET stream wrapper that decompresses Snappy‑format data. When the decompressor encounters a specifically malformed framed Snappy stream as short as 15 bytes, it enters an uncatchable infinite loop, never throwing an exception and tying a CPU thread forever.
Internally, the hang manifests as a user‑space busy loop inside SnappyStreamDecompressor.Decompress, which repeatedly calls Crc32CAlgorithm.Append. No upper‑bound check or sanity validation on the frame header triggers the endless cycle. Because the faulty data is only 15 bytes, an attacker can easily supply this payload over any channel that feeds user‑controlled bytes into a SnappyStream.
The loop is uncatchable – wrapping the stream operation in a `try/catch` block does nothing, as no exception is ever raised. Consequently, the thread burns 100% CPU until the host process is killed, effectively creating a self‑sustaining denial of service.
The provided proof of concept uses a 15‑byte byte array; passing it to `SnappyStream` in decompress mode and calling `CopyTo` will hang indefinitely:
byte[] data = { 0x00, 0x04, 0x00, 0x00, 0x64, 0x4e, 0x6c, 0x71, 0x79, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64 };
using var src = new MemoryStream(data);
using var snap = new SnappyStream(src, CompressionMode.Decompress);
using var dst = new MemoryStream();
snap.CopyTo(dst); // never returns
The issue affects all NuGet package versions up to 1.3.0 and is fixed in version 1.3.1.
DailyCVE form
Platform: .NET / NuGet
Version: ≤ 1.3.0
Vulnerability: Infinite loop / DoS
Severity: High
date: 2026‑05‑06
Prediction: Patch 2026‑04‑28
What Undercode Say:
Analytics on CVE‑2026‑44302 show that any application accepting user‑supplied bytes into a `SnappyStream` decompression path is at risk. The threat is exacerbated because the hang does not log, crash, or yield – it simply stalls the thread.
Bash commands to check your project:
List current Snappier package version in a .NET project
dotnet list package --outdated | grep -i snappier
Find all .csproj files referencing Snappier
find . -name ".csproj" -exec grep -l "Snappier" {} \;
Extract version numbers from .csproj references
find . -name ".csproj" -exec grep -A2 -B2 "Snappier" {} \;
Exploit:
Send a 15‑byte malicious Snappy frame to any endpoint that passes raw bytes to `SnappyStream` in decompression mode. The service thread will consume 100% CPU forever, requiring process termination to recover.
Protection from this CVE:
- Upgrade immediately to Snappier 1.3.1 or later.
- If upgrade is impossible, wrap the decompression logic in a separate process or task with a timeout, then kill the hung process.
- Validate input bytes before handing them to `SnappyStream` (e.g., reject packets with suspicious pattern
0x00,0x04,...).
Impact:
- Availability – affected thread runs indefinitely, leading to service degradation or complete halt.
- No recovery – normal exception handling (
try/catch) cannot interrupt the infinite loop. - Low barrier – payload is only 15 bytes, making it trivial for a remote attacker to trigger.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
