CVE-2026-41511: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in ironfede openmcdf
CVE-2026-41511 is a medium severity vulnerability in the openmcdf . NET library prior to version 3. 1. 3. The issue arises because the library does not detect cycles in the directory entry red-black tree of Compound File Binary (CFB) documents. A specially crafted CFB file containing a cycle in the LeftSiblingID/RightSiblingID chain can cause the Storage. EnumerateEntries() and Storage. OpenStream() methods to enter an infinite loop. This infinite loop consumes the calling thread indefinitely and cannot be recovered from using try/catch blocks. The vulnerability has been addressed in openmcdf version 3.
AI Analysis
Technical Summary
OpenMcdf is a .NET/C# library for manipulating Compound File Binary Format files. Versions prior to 3.1.3 do not detect cyclic references in the directory entry red-black tree structure of CFB files. An attacker can craft a malicious CFB file with a cycle in the LeftSiblingID/RightSiblingID pointers, causing the library's Storage.EnumerateEntries() and Storage.OpenStream() functions to loop infinitely. This results in a denial of service by consuming the calling thread with no recovery possible via exception handling. The issue is classified under CWE-835 (Loop with Unreachable Exit Condition). The vulnerability is fixed in version 3.1.3 of openmcdf.
Potential Impact
The vulnerability causes a denial of service condition by triggering an infinite loop in the affected library functions, which consumes the calling thread indefinitely. There is no impact on confidentiality or integrity. The CVSS v3.1 base score is 6.2 (medium severity), reflecting local attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high impact on availability.
Mitigation Recommendations
A fix is available in openmcdf version 3.1.3. Users of the openmcdf library should upgrade to version 3.1.3 or later to remediate this vulnerability. No other mitigation or workaround is indicated or necessary according to the available information.
CVE-2026-41511: CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop') in ironfede openmcdf
Description
CVE-2026-41511 is a medium severity vulnerability in the openmcdf . NET library prior to version 3. 1. 3. The issue arises because the library does not detect cycles in the directory entry red-black tree of Compound File Binary (CFB) documents. A specially crafted CFB file containing a cycle in the LeftSiblingID/RightSiblingID chain can cause the Storage. EnumerateEntries() and Storage. OpenStream() methods to enter an infinite loop. This infinite loop consumes the calling thread indefinitely and cannot be recovered from using try/catch blocks. The vulnerability has been addressed in openmcdf version 3.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
OpenMcdf is a .NET/C# library for manipulating Compound File Binary Format files. Versions prior to 3.1.3 do not detect cyclic references in the directory entry red-black tree structure of CFB files. An attacker can craft a malicious CFB file with a cycle in the LeftSiblingID/RightSiblingID pointers, causing the library's Storage.EnumerateEntries() and Storage.OpenStream() functions to loop infinitely. This results in a denial of service by consuming the calling thread with no recovery possible via exception handling. The issue is classified under CWE-835 (Loop with Unreachable Exit Condition). The vulnerability is fixed in version 3.1.3 of openmcdf.
Potential Impact
The vulnerability causes a denial of service condition by triggering an infinite loop in the affected library functions, which consumes the calling thread indefinitely. There is no impact on confidentiality or integrity. The CVSS v3.1 base score is 6.2 (medium severity), reflecting local attack vector, low complexity, no privileges required, no user interaction, unchanged scope, no confidentiality or integrity impact, and high impact on availability.
Mitigation Recommendations
A fix is available in openmcdf version 3.1.3. Users of the openmcdf library should upgrade to version 3.1.3 or later to remediate this vulnerability. No other mitigation or workaround is indicated or necessary according to the available information.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-20T18:18:50.681Z
- Cvss Version
- 3.1
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69fe3432cbff5d86101a14dc
Added to database: 5/8/2026, 7:06:26 PM
Last enriched: 5/8/2026, 7:21:31 PM
Last updated: 5/8/2026, 11:27:06 PM
Views: 8
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.