PT-2026-34607 · Openmcdf · Openmcdf

Pawlos

Published

2026-04-22

Updated

2026-06-01

CVE-2026-41511

CVSS v3.1

6.2

Medium

Vector

AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions OpenMcdf (affected versions not specified)

Description OpenMcdf fails to detect cycles in the directory entry red-black tree of a Compound File Binary (CFB) document. A crafted CFB file containing a cycle in the LeftSiblingID or RightSiblingID chain causes the software to loop indefinitely, leading to a denial of service. This occurs because the DirectoryTreeEnumerator and DirectoryTree.TryGetDirectoryEntry traverse the tree without tracking visited node IDs.

Two specific code paths are affected:

The Storage.EnumerateEntries() function, where DirectoryTreeEnumerator.MoveNext() never returns false, causing the caller's loop to never exit and the heap to grow unboundedly.
The Storage.OpenStream() function, where DirectoryTree.TryGetDirectoryEntry loops indefinitely within DirectoryEntries.TryGetSibling during name lookup.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.

Exploit

DoS

Infinite Loop

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-835

Related Identifiers

CVE-2026-41511

GHSA-JXPF-XQ2M-Q525

Affected Products

Openmcdf

PT-2026-34607 · Openmcdf · Openmcdf

CVE-2026-41511

Weakness Enumeration

Related Identifiers

Affected Products

References · 13