CVE-2026-45785

MEDIUMPre-NVD 6.26.2
EchelonGraph scoreLOW confidence

This medium-severity CVE scores 6.2 under the CNA's CVSS (NVD's own analysis pending). EPSS exploit probability: 0.0%, top 96% of all CVEs by exploit prediction. GitHub Security Advisory data not yet ingested — confidence will rise once GHSA publishes (typical lag: hours to days for open-source ecosystem CVEs; never for infrastructure-only CVEs).

Triggered by: NVD CVSS baseline
Sources: cna:github_m, epss
6.2
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • Lower severity and no public exploit yet
CISA-KEV: Not listedEPSS: 0%CVSS: 6.2Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle

Summary

The BST name-lookup loop in DirectoryTree.TryGetDirectoryEntry (OpenMcdf/DirectoryTree.cs:35-46) walks directory entries by repeatedly calling directories.TryGetSibling(child, siblingType, validateColor). A crafted CFB file with cyclic Left/Right sibling links among directory entries - constructed so the per-step BST-order check in TryGetSibling (DirectoryEntries.cs:84-85) is satisfied at every step - drives this while (child is not null) loop forever. There is no cycle detection in TryGetDirectoryEntry.

Details

The recent Brent's-algorithm commit (24f445a) protects DirectoryTreeEnumerator and works correctly for both attached repros - pure EnumerateEntries() throws FileFormatException: Directory tree contains a loop cleanly. The unprotected code path is the lookup-by-name loop, which is reached from multiple public APIs:
  • RootStorage.OpenStorage(name) / TryOpenStorage(name)
  • RootStorage.OpenStream(name) / TryOpenStream(name)

The second one matters most: typical consumers iterate EnumerateEntries() and call OpenStream(entry.Name) per Stream entry. With Brent's algorithm catching the enumeration cycle but not the per-entry lookup, callers can still hang as soon as they touch a streamed entry.

PoC

Two minimal repros attached, demonstrating the same lookup-loop bug reached via two different public APIs:
  • repro_lookup.cfb (5,632 bytes) - hangs on direct OpenStorage(name) for a name not present in the directory
  • repro_enumerate.cfb (7,936 bytes) - hangs on OpenStream(entry.Name) called for an entry returned by EnumerateEntries() (the common consumer pattern)

Repro 1 - OpenStorage(name)

using OpenMcdf;

using var fs = File.OpenRead("repro_lookup.cfb"); using var root = RootStorage.Open(fs); root.TryOpenStorage("__substg1.0_3001001F", out _); // process spins at 100% CPU; Ctrl+C required.

Repro 2 - OpenStream from inside an enumeration loop

using OpenMcdf;

using var fs = File.OpenRead("repro_enumerate.cfb"); using var root = RootStorage.Open(fs); foreach (var entry in root.EnumerateEntries()) // safe: Brent's catches enumeration cycles { if (entry.Type == EntryType.Stream) _ = root.OpenStream(entry.Name); // hangs: lookup path has no cycle detection }

Both processes will not terminate.

(Note: pure foreach (var entry in root.EnumerateEntries()) { } with no per-entry lookup is safe - Brent's algorithm in DirectoryTreeEnumerator catches the enumeration cycle and throws FileFormatException: Directory tree contains a loop. The hang only manifests once a name lookup is performed.)

repros.zip

Impact

A denial of service affecting any application that opens untrusted CFB files with OpenMcdf. A small crafted input with a cyclic directory tree reaches the unprotected BST name-lookup in DirectoryTree.TryGetDirectoryEntry, hit by any caller of OpenStorage / TryOpenStorage / OpenStream / TryOpenStream - including the very common pattern of iterating EnumerateEntries() and calling OpenStream(entry.Name) per Stream entry. The cycles bypass the per-step BST-order check in TryGetSibling, so no exception is thrown and try/catch cannot protect callers. The affected thread is unrecoverable without killing the process. Downstream CFB consumers (e.g. .msg-file parsers) inherit transitively.

CVSS v3
6.2
EG Score
6.2(low)
EPSS
4.4%
KEV
Not listed

Published

May 19, 2026

Last Modified

May 19, 2026

Vendor Advisories for CVE-2026-45785(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
NuGet(1)
PackageVulnerable rangeFixed inDependents
OpenMcdf1.5.4 ... 3.1.3 (34 versions)3.1.4

Data Freshness Timeline

(refreshed 0× in last 7d / 13× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-29 20:41 UTCEG score recompute
  2. 2026-06-27 20:23 UTCEG score recompute
  3. 2026-06-26 19:45 UTCEG score recompute
  4. 2026-06-25 16:45 UTCEG score recompute
  5. 2026-06-17 21:51 UTCEG score recompute
  6. 2026-06-16 22:25 UTCEG score recompute
  7. 2026-06-15 22:58 UTCEG score recompute
  8. 2026-06-14 23:18 UTCEPSS rescore
  9. 2026-06-14 22:03 UTCEG score recompute
  10. 2026-06-13 23:00 UTCEPSS rescore
  11. 2026-06-13 22:37 UTCEG score recompute
  12. 2026-06-12 23:12 UTCEPSS rescore
  13. 2026-06-12 20:26 UTCEG score recompute
  14. 2026-06-11 21:00 UTCEG score recompute
  15. 2026-06-10 21:34 UTCEG score recompute
  16. 2026-06-09 22:07 UTCEG score recompute
  17. 2026-06-08 22:41 UTCEG score recompute
  18. 2026-06-07 23:14 UTCEG score recompute
  19. 2026-06-06 23:48 UTCEG score recompute
  20. 2026-06-06 00:21 UTCEG score recompute
  21. 2026-06-05 00:54 UTCEG score recompute
  22. 2026-06-04 01:27 UTCEG score recompute
  23. 2026-06-03 02:00 UTCEG score recompute
  24. 2026-06-02 02:33 UTCEG score recompute
  25. 2026-06-01 03:06 UTCEG score recompute
Show 1 more
  1. 2026-05-24 06:13 UTCEG score recompute

Frequently asked(5)

What is CVE-2026-45785?
CVE-2026-45785 is a medium vulnerability published on May 19, 2026. OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle Summary The BST name-lookup loop in DirectoryTree.TryGetDirectoryEntry (OpenMcdf/DirectoryTree.cs:35-46) walks directory entries by repeatedly calling directories.TryGetSibling(child,…
When was CVE-2026-45785 disclosed?
CVE-2026-45785 was first published in the National Vulnerability Database on May 19, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-45785 actively exploited?
CVE-2026-45785 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 4.4% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
What is the CVSS score of CVE-2026-45785?
CVE-2026-45785 has a CVSS v4.0 base score of 6.2 (CNA self-assessment; NVD's own analysis pending). The EG score is currently aggregating — additional source signals are being incorporated as they become available..
How do I remediate CVE-2026-45785?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-45785, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-45785

Explore →

Is Your Infrastructure Affected by CVE-2026-45785?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.