Vulnerability Description
OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file with a cycle in the LeftSiblingID / RightSiblingID chain causes Storage.EnumerateEntries() and Storage.OpenStream() to loop indefinitely, consuming the calling thread with no possibility of recovery via try/catch. This issue has been patched in version 3.1.3.
CVSS Score
MEDIUM
Related Weaknesses (CWE)
References
- https://github.com/openmcdf/openmcdf/commit/24f445a557fc4f46461cf6d02d296cce16c2
- https://github.com/openmcdf/openmcdf/releases/tag/v3.1.3
- https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525
- https://github.com/openmcdf/openmcdf/security/advisories/GHSA-jxpf-xq2m-q525
FAQ
What is CVE-2026-41511?
CVE-2026-41511 is a vulnerability with a CVSS score of 6.2 (MEDIUM). OpenMcdf is a fully .NET / C# library to manipulate Compound File Binary File Format files, also known as Structured Storage. Prior to version 3.1.3, OpenMcdf does not detect cycles in the directory e...
How severe is CVE-2026-41511?
CVE-2026-41511 has been rated MEDIUM with a CVSS base score of 6.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-41511?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.