Listen to this Post
DecimalConverter.ReadDecimal in ParquetSharp uses a stackalloc with an attacker-controlled decimal column width. The function reads the declared width of a decimal column directly from the Parquet file without validating its value. If an attacker creates a malicious Parquet file that declares a decimal column with an unreasonably large width, that value is used to allocate the buffer on the stack. The stack memory region has a fixed, limited size. Allocating a very large buffer on the stack overflows the stack memory region, corrupting critical stack metadata and execution context. A stack overflow typically leads to an immediate process crash with a StackOverflowException. In a service environment, this crash terminates the entire service, resulting in a denial of service. The crash is deterministic and does not require memory corruption to be exploitable further. The function does not check if the width exceeds a safe threshold, such as 128 bytes, before calling stackalloc. This is a classic uncontrolled stack allocation vulnerability. Any network service that uses ParquetSharp to automatically process untrusted Parquet files is vulnerable. The attack vector is a single Parquet file that passes an unreasonable width value in its decimal column schema. No authentication, user interaction, or chaining with other exploits is required. The vulnerable method is located in the ParquetSharp core library. The vulnerability lies in trusting metadata from the Parquet file when performing memory management decisions.
dailyCVE form:
Platform: .NET
Version: 18.1.0–23.0.0.1
Vulnerability: Stack-based overflow
Severity: Critical
date: 2026-04-24
Prediction: Patch 2026-04-24
What Undercode Say:
Analytics
Monitoring can detect crashes from this vulnerability by tracking unexpected process terminations in services that process Parquet files. Alert on frequent restarts of .NET services handling user-provided Parquet data. Anomaly detection on crash logs can identify patterns of stack overflow exceptions originating from ParquetSharp methods.
Commands & code
Detect vulnerable ParquetSharp version dotnet list package --include-transitive | grep -i parquetsharp
// Pseudo-code of the vulnerable pattern
public void ReadDecimal(int width)
{
Span<byte> buffer = stackalloc byte[bash]; // width from untrusted input
// ...
}
How Exploit:
Attacker crafts a Parquet file with a decimal column declaring an extremely large width (e.g., 10,000,000 bytes). The victim’s service reads the file, triggering stack allocation with that width, causing stack overflow and service crash.
Protection from this CVE
Upgrade ParquetSharp to version 23.0.0.1 or higher, where the width is validated before allocation. If upgrading is not immediate, avoid processing untrusted Parquet files. Validate decimal column width in a wrapper before passing to DecimalConverter.ReadDecimal.
Impact
Successful exploitation leads to a denial of service through service termination. Recovering requires restarting the service, but repeated exploitation can cause persistent unavailability.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

