Listen to this Post
The vulnerability resides in how OpenMcdf traverses the red‑black directory tree of a Compound File Binary (CFB) document without tracking visited nodes.
CFB directory entries are linked by `LeftSiblingID` and `RightSiblingID` fields that form a red‑black tree.
OpenMcdf’s `DirectoryTreeEnumerator` and `DirectoryTree.TryGetDirectoryEntry` follow these pointers but never record which node IDs have already been visited.
If an attacker crafts a CFB file where the sibling pointers form a cycle – for example, entry A’s `RightSiblingID` points to entry B, and entry B’s `LeftSiblingID` points back to A – the traversal never reaches a terminating condition.
Two code paths are affected:
1. `Storage.EnumerateEntries()` – The `DirectoryTreeEnumerator.MoveNext()` method never returns false. A `foreach` loop over the entries yields the same entry repeatedly, and heap memory grows without bound as entries are accumulated.
2. `Storage.OpenStream()` – The `DirectoryTree.TryGetDirectoryEntry` method enters an infinite loop inside `DirectoryEntries.TryGetSibling` while resolving a stream name.
Because no exception is thrown, a `try/catch` block cannot intercept the loop. The calling thread hangs permanently, requiring the process to be killed for recovery.
A minimal crafted CFB file that passes the initial magic‑header check (D0 CF 11 E0 A1 B1 1A E1) is sufficient to trigger the infinite loop.
dailycve form
Platform: .NET / C
Version: <3.1.3
Vulnerability: Infinite loop DoS
Severity: Moderate
date: 2026-04-22
Prediction: Patch 2026-04-23
Analytics – What Undercode Say:
Check installed OpenMcdf version via NuGet dotnet list package --include-transitive | grep OpenMcdf Detect CFB files with potential sibling cycles (custom script) for f in .cfb; do xxd -p "$f" | grep -E "d0 cf 11 e0|left|right" && echo "⚠️ $f may contain cycle" done
// PoC code that triggers the infinite loop
using OpenMcdf;
using var ms = new MemoryStream(File.ReadAllBytes("crafted.cfb"));
using var root = RootStorage.Open(ms);
// Foreach never exits – hangs forever
foreach (var entry in root.EnumerateEntries())
{
Console.WriteLine(entry.Name);
if (entry.Type == EntryType.Stream)
root.OpenStream(entry.Name); // also hangs depending on cycle
}
How Exploit:
An attacker supplies a specially crafted CFB file to an application that uses OpenMcdf to parse untrusted documents. The file contains a cycle in the `LeftSiblingID` / `RightSiblingID` pointers of the directory tree. When the application calls `EnumerateEntries()` or OpenStream(), the library enters an infinite loop, consuming 100% CPU on the calling thread. No exception is raised, so the application cannot recover. The attacker effectively erases the availability of the service.
Protection from this CVE
- Upgrade to OpenMcdf version 3.1.3 or later, where cycle detection has been added.
- If upgrading is not possible, consider wrapping the library in a separate process with a timeout, so the process can be terminated without affecting the main application.
- Avoid using `EnumerateEntries()` on untrusted CFB files; prefer `GetStream()` for known stream names, which still may be vulnerable but is less exposed.
Impact
- Denial of Service – Any application that opens untrusted CFB files can be forced into a permanent hang.
- Unrecoverable – The only way to restore service is to kill the entire process; threads cannot be interrupted by
try/catch. - Low material cost – An exploit file can be as small as a few hundred bytes, making it easy to deploy in mass‑exploitation scenarios.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

