CVEReports
CVEReports

Automated vulnerability intelligence platform. Comprehensive reports for high-severity CVEs generated by AI.

Product

  • Home
  • Sitemap
  • RSS Feed

Company

  • About
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CVEReports. All rights reserved.

Made with love by Amit Schendel & Alon Barad



GHSA-32WQ-PPWG-3W4M

GHSA-32WQ-PPWG-3W4M: Denial of Service in EnhancedLinq.Async via Microsoft.Bcl.Memory Out-of-Bounds Read

Alon Barad
Alon Barad
Software Engineer

Apr 2, 2026·4 min read·23 visits

Executive Summary (TL;DR)

A flaw in the Base64Url decoder of Microsoft.Bcl.Memory causes an out-of-bounds read when parsing crafted input. Applications using EnhancedLinq.Async are vulnerable to Denial of Service via process crashes.

EnhancedLinq.Async is vulnerable to a Denial of Service (DoS) attack due to an out-of-bounds read flaw inherited from its transitive dependency on Microsoft.Bcl.Memory. This issue, originally tracked as CVE-2026-26127, allows unauthenticated remote attackers to crash applications by supplying malformed Base64Url-encoded payloads.

Vulnerability Overview

GHSA-32WQ-PPWG-3W4M identifies a transitive Denial of Service (DoS) vulnerability impacting the EnhancedLinq.Async package. The vulnerability is not indigenous to the EnhancedLinq.Async codebase. Instead, it stems from its reliance on the Microsoft.Bcl.Memory NuGet package, which contains a critical flaw in its Base64Url decoding implementation (CVE-2026-26127).

The vulnerability is classified as an Out-of-bounds Read (CWE-125). Unauthenticated attackers can exploit this flaw by submitting specially crafted Base64Url strings to application endpoints that process this data. The lack of adequate bounds checking during the decoding phase triggers an out-of-bounds memory access.

In the context of the .NET Core runtime, an out-of-bounds read in managed memory structures typically results in an unhandled runtime exception. Because this exception originates deep within memory allocation or array slicing mechanisms, it often bypasses standard application-level try-catch blocks, causing the entire host process to terminate unexpectedly.

Root Cause Analysis

The root cause of CVE-2026-26127 resides in the .NET and Microsoft.Bcl.Memory implementation of the Base64Url decoder. The decoder is responsible for translating Base64Url-encoded strings into byte arrays. During this translation, the algorithm computes the expected output buffer size and iterates over the input string to perform bitwise extraction and decoding.

The implementation fails to properly validate the length and composition of the input before advancing its read pointers. When the decoder processes a string with an invalid length, trailing padding inconsistencies, or unexpected non-alphabet characters, the internal pointer arithmetic miscalculates the read boundaries. This arithmetic error forces the algorithm to attempt a read operation past the allocated bounds of the input span.

Because the operation involves unsafe context operations or highly optimized span slicing for performance, the runtime engine detects the out-of-bounds access and throws a fatal execution engine exception or an IndexOutOfRangeException. This behavior creates a reliable mechanism for an external attacker to force application instability.

Exploitation Methodology

Exploitation of this vulnerability is straightforward and requires no specialized tools beyond a standard HTTP client. The attacker must first identify an application endpoint or functionality that accepts user-supplied strings which are subsequently passed into EnhancedLinq.Async and evaluated by the Base64Url decoder.

Common attack vectors include authentication endpoints expecting JWTs, OAuth state parameters, webhook receiver payloads, or data ingestion APIs. The attacker crafts a Base64Url string that structurally violates the expected byte alignment, typically by utilizing an invalid length modulo or truncating the required padding parameters.

Upon transmitting this malformed payload over the network, the target application attempts to deserialize or decode the input. The vulnerable decoding loop executes, triggers the out-of-bounds read offset, and faults the process. An attacker can repeatedly issue this request to maintain a continuous Denial of Service state, preventing legitimate users from accessing the service.

Impact Assessment

The CVSS v3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, resulting in a Base Score of 7.5. The impact is strictly isolated to the Availability metric. There is no evidence that the out-of-bounds read can be pivoted to achieve arbitrary code execution or to leak sensitive memory contents to the attacker.

Despite the lack of confidentiality or integrity impacts, the availability impact is severe. High-performance .NET web APIs utilizing EnhancedLinq.Async are highly susceptible to sudden termination. This abrupt termination drops all active connections, aborts in-flight transactions, and forces the application infrastructure into a continuous restart loop if an orchestration system (like Kubernetes) is managing the pods.

The widespread use of Base64Url encoding in modern web protocols (such as OpenID Connect and generic token passing) amplifies the likelihood of the vulnerable code path being reachable from untrusted network boundaries.

Remediation and Mitigation

The definitive remediation for this vulnerability requires updating the vulnerable Microsoft.Bcl.Memory component. Since EnhancedLinq.Async inherits this vulnerability transitively, developers must explicitly override the dependency version if a pre-patched version of the primary package is not yet deployed.

Developers must update their project files (.csproj) to explicitly include Microsoft.Bcl.Memory version 9.0.14 or later. This forces the NuGet package manager to resolve the dependency graph using the secured version, bypassing the vulnerable version requested by EnhancedLinq.Async.

<ItemGroup>
  <PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.14" />
</ItemGroup>

As a defense-in-depth measure, developers should implement pre-flight validation on all Base64Url inputs. Ensuring that input strings adhere strictly to length constraints and character sets before passing them to core decoding APIs can prevent malformed payloads from ever reaching the vulnerable code path.

Technical Appendix

CVSS Score
7.5/ 10
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Affected Systems

EnhancedLinq.AsyncMicrosoft.Bcl.Memory.NET Ecosystem

Affected Versions Detail

Product
Affected Versions
Fixed Version
EnhancedLinq.Async
Alastair Lundy
< 1.0.0-beta.4Dependent on Microsoft.Bcl.Memory override
Microsoft.Bcl.Memory
Microsoft
< 9.0.149.0.14
AttributeDetail
Vulnerability TypeOut-of-bounds Read
CWE IDCWE-125
Attack VectorNetwork
CVSS Score7.5 (High)
Exploit StatusUnauthenticated DoS
ImpactHigh Availability Loss

MITRE ATT&CK Mapping

T1498Network Denial of Service
Impact
T1190Exploit Public-Facing Application
Initial Access
CWE-125
Out-of-bounds Read

The software reads data past the end, or before the beginning, of the intended buffer.

Vulnerability Timeline

CVE-2026-26127 was publicly disclosed as part of Microsoft's Security Advisory.
2026-03-10
GHSA-32WQ-PPWG-3W4M was published identifying inherited risk in EnhancedLinq.Async.
2026-03-01

References & Sources

  • [1]GitHub Advisory (EnhancedLinq.Async)
  • [2]GitHub Repository Advisory
  • [3]Microsoft Security Advisory (CVE-2026-26127)
  • [4]NuGet Package: EnhancedLinq.Async
  • [5]Related .NET Advisory
Related Vulnerabilities
CVE-2026-26127

Attack Flow Diagram

Press enter or space to select a node. You can then use the arrow keys to move the node around. Press delete to remove it and escape to cancel.
Press enter or space to select an edge. You can then press delete to remove it or escape to cancel.

More Reports

•2 days ago•CVE-2026-55699
6.5

CVE-2026-55699: Arbitrary Directory Deletion via Path Traversal in pnpm globalBinDir Resolver

CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.

Amit Schendel
Amit Schendel
13 views•6 min read
•2 days ago•CVE-2026-55700
7.1

CVE-2026-55700: Path Traversal and Arbitrary File Write in pnpm stage download

A path traversal vulnerability in pnpm stage download allows malicious registries or compromised package manifests to overwrite arbitrary files on the victim's filesystem via unvalidated package name and version fields.

Alon Barad
Alon Barad
10 views•4 min read
•2 days ago•GHSA-WW5P-J6CJ-6MQQ
5.5

GHSA-WW5P-J6CJ-6MQQ: Credential Exposure in Nezha Dashboard DDNS and Notification APIs

GHSA-WW5P-J6CJ-6MQQ is a technical credential exposure vulnerability in Nezha Dashboard prior to version 2.2.5. The vulnerability allows authenticated administrative users or actors possessing scoped read-only Personal Access Tokens (PATs) to exfiltrate plaintext third-party API credentials, secret keys, and webhook authorization headers due to a lack of data redaction during API object serialization.

Amit Schendel
Amit Schendel
10 views•7 min read
•2 days ago•GHSA-FR4H-3CPH-29XV
7.1

GHSA-FR4H-3CPH-29XV: Path Traversal and Directory Hijacking in pnpm and pacquet Dependency Resolution

GHSA-FR4H-3CPH-29XV is a high-severity path traversal vulnerability in pnpm and its Rust-based port pacquet. The flaw manifests when using the hoisted node-linker configuration, allowing an attacker to manipulate the lockfile to resolve relative traversal sequences or target reserved subdirectories, leading to arbitrary file write or execution hijacking.

Amit Schendel
Amit Schendel
7 views•8 min read
•2 days ago•GHSA-72R4-9C5J-MJ57
7.1

GHSA-72R4-9C5J-MJ57: Arbitrary File Deletion via Path Traversal in pnpm patch-remove

A path traversal vulnerability in the pnpm package manager's 'patch-remove' command allows an attacker to delete arbitrary files outside the patches directory. By manipulating configuration files like package.json, an attacker can specify a traversal path that the application deletes recursively without validating the path's containment.

Alon Barad
Alon Barad
7 views•5 min read
•2 days ago•GHSA-QRV3-253H-G69C
8.3

GHSA-QRV3-253H-G69C: Path Traversal and Arbitrary Symlink Creation via configDependencies in pnpm

A high-severity path traversal vulnerability exists in the pnpm package manager. By crafting a malicious lockfile (pnpm-lock.yaml) with path traversal characters in the configDependencies block, an attacker can create arbitrary directories and symlinks outside the project's node_modules/.pnpm-config directory. This exploitation happens automatically during pnpm installation, even when executing with scripts disabled via the --ignore-scripts flag.

Amit Schendel
Amit Schendel
9 views•7 min read