CVE-2026-45785: OpenMcdf: Uncatchable infinite loop in DirectoryTree.TryGetDirectoryEntry on crafted CFB directory cycle

May 19, 2026

The BST name-lookup loop in DirectoryTree.TryGetDirectoryEntry (OpenMcdf/DirectoryTree.cs:35-46) walks directory entries by repeatedly calling directories.TryGetSibling(child, siblingType, validateColor). A crafted CFB file with cyclic Left/Right sibling links among directory entries - constructed so the per-step BST-order check in TryGetSibling (DirectoryEntries.cs:84-85) is satisfied at every step - drives this while (child is not null) loop forever. There is no cycle detection in TryGetDirectoryEntry.

References

github.com/advisories/GHSA-5qwm-7pvp-w988
github.com/openmcdf/openmcdf/security/advisories/GHSA-5qwm-7pvp-w988
nvd.nist.gov/vuln/detail/CVE-2026-45785

Code Behaviors & Features

Detect and mitigate CVE-2026-45785 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →