← Back to feed
Update:
[MODERATE] GHSA-5qwm-7pvp-w988: OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle
GitHub Security Advisory·Security·SecurityFix·5/19/2026
### Summary The BST name-lookup loop in `DirectoryTree.TryGetDirectoryEntry` (`OpenMcdf/DirectoryTree.cs:35-46`) walks directory entries by repeatedly calling `directories.TryGetSibling(child, siblingType, validateColor)`. A crafted CFB file with cyclic Left/Right sibling links among directory entri
Why it matters → openmcdf released an update. Review the changelog for relevant changes.
Who should care → Teams using openmcdf.
openmcdf
View original source ↗Source payload preview
{
"ghsaId": "GHSA-5qwm-7pvp-w988",
"summary": "OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle",
"severity": "MODERATE",
"updatedAt": "2026-05-19T19:51:00Z",
"references": [
{
"url": "https://github.com/openmcdf/openmcdf/security/advisories/GHSA-5qwm-7pvp-w988"
},
{
"url": "https://github.com/advisories/GHSA-5qwm-7pvp-w988"
}
],
"description": "### Summary\nThe BST name-lookup loop in `DirectoryTree.TryGetDirectoryEntry` (`OpenMcdf/DirectoryTree.cs:35-46`) walks directory entries by repeatedly calling `directories.TryGetSibling(child, siblingType, validateColor)`. A crafted CFB file with cyclic Left/Right sibling links among directory entries - constructed so the per-step BST-order check in `
…