OpenMcdf, Denial of Service (DoS), CVE-2026-41511 (Medium)

Listen to this Post

The vulnerability resides in how OpenMcdf traverses the red‑black directory tree of a Compound File Binary (CFB) document without tracking visited nodes.
CFB directory entries are linked by `LeftSiblingID` and `RightSiblingID` fields that form a red‑black tree.
OpenMcdf’s `DirectoryTreeEnumerator` and `DirectoryTree.TryGetDirectoryEntry` follow these pointers but never record which node IDs have already been visited.
If an attacker crafts a CFB file where the sibling pointers form a cycle – for example, entry A’s `RightSiblingID` points to entry B, and entry B’s `LeftSiblingID` points back to A – the traversal never reaches a terminating condition.

Two code paths are affected:

1. `Storage.EnumerateEntries()` – The `DirectoryTreeEnumerator.MoveNext()` method never returns false. A `foreach` loop over the entries yields the same entry repeatedly, and heap memory grows without bound as entries are accumulated.
2. `Storage.OpenStream()` – The `DirectoryTree.TryGetDirectoryEntry` method enters an infinite loop inside `DirectoryEntries.TryGetSibling` while resolving a stream name.
Because no exception is thrown, a `try/catch` block cannot intercept the loop. The calling thread hangs permanently, requiring the process to be killed for recovery.
A minimal crafted CFB file that passes the initial magic‑header check (D0 CF 11 E0 A1 B1 1A E1) is sufficient to trigger the infinite loop.

dailycve form

Platform: .NET / C
Version: <3.1.3
Vulnerability: Infinite loop DoS
Severity: Moderate
date: 2026-04-22

Prediction: Patch 2026-04-23

Analytics – What Undercode Say:

Check installed OpenMcdf version via NuGet
dotnet list package --include-transitive | grep OpenMcdf
Detect CFB files with potential sibling cycles (custom script)
for f in .cfb; do
xxd -p "$f" | grep -E "d0 cf 11 e0|left|right" && echo "⚠️ $f may contain cycle"
done
// PoC code that triggers the infinite loop
using OpenMcdf;
using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb"));
using var root = RootStorage.Open(ms);
// Foreach never exits – hangs forever
foreach (var entry in root.EnumerateEntries())
{
Console.WriteLine(entry.Name);
if (entry.Type == EntryType.Stream)
root.OpenStream(entry.Name); // also hangs depending on cycle
}

How Exploit:

An attacker supplies a specially crafted CFB file to an application that uses OpenMcdf to parse untrusted documents. The file contains a cycle in the `LeftSiblingID` / `RightSiblingID` pointers of the directory tree. When the application calls `EnumerateEntries()` or OpenStream(), the library enters an infinite loop, consuming 100% CPU on the calling thread. No exception is raised, so the application cannot recover. The attacker effectively erases the availability of the service.

Protection from this CVE

  • Upgrade to OpenMcdf version 3.1.3 or later, where cycle detection has been added.
  • If upgrading is not possible, consider wrapping the library in a separate process with a timeout, so the process can be terminated without affecting the main application.
  • Avoid using `EnumerateEntries()` on untrusted CFB files; prefer `GetStream()` for known stream names, which still may be vulnerable but is less exposed.

Impact

  • Denial of Service – Any application that opens untrusted CFB files can be forced into a permanent hang.
  • Unrecoverable – The only way to restore service is to kill the entire process; threads cannot be interrupted by try/catch.
  • Low material cost – An exploit file can be as small as a few hundred bytes, making it easy to deploy in mass‑exploitation scenarios.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top