GHSA-32WQ-PPWG-3W4M: Denial of Service in EnhancedLinq.Async via Microsoft.Bcl.Memory Out-of-Bounds Read

GHSA-32WQ-PPWG-3W4M identifies a transitive Denial of Service (DoS) vulnerability impacting the EnhancedLinq.Async package. The vulnerability is not indigenous to the EnhancedLinq.Async codebase. Instead, it stems from its reliance on the Microsoft.Bcl.Memory NuGet package, which contains a critical flaw in its Base64Url decoding implementation (CVE-2026-26127).

The vulnerability is classified as an Out-of-bounds Read (CWE-125). Unauthenticated attackers can exploit this flaw by submitting specially crafted Base64Url strings to application endpoints that process this data. The lack of adequate bounds checking during the decoding phase triggers an out-of-bounds memory access.

In the context of the .NET Core runtime, an out-of-bounds read in managed memory structures typically results in an unhandled runtime exception. Because this exception originates deep within memory allocation or array slicing mechanisms, it often bypasses standard application-level try-catch blocks, causing the entire host process to terminate unexpectedly.

The root cause of CVE-2026-26127 resides in the .NET and Microsoft.Bcl.Memory implementation of the Base64Url decoder. The decoder is responsible for translating Base64Url-encoded strings into byte arrays. During this translation, the algorithm computes the expected output buffer size and iterates over the input string to perform bitwise extraction and decoding.

The implementation fails to properly validate the length and composition of the input before advancing its read pointers. When the decoder processes a string with an invalid length, trailing padding inconsistencies, or unexpected non-alphabet characters, the internal pointer arithmetic miscalculates the read boundaries. This arithmetic error forces the algorithm to attempt a read operation past the allocated bounds of the input span.

Because the operation involves unsafe context operations or highly optimized span slicing for performance, the runtime engine detects the out-of-bounds access and throws a fatal execution engine exception or an IndexOutOfRangeException. This behavior creates a reliable mechanism for an external attacker to force application instability.

Exploitation of this vulnerability is straightforward and requires no specialized tools beyond a standard HTTP client. The attacker must first identify an application endpoint or functionality that accepts user-supplied strings which are subsequently passed into EnhancedLinq.Async and evaluated by the Base64Url decoder.

Common attack vectors include authentication endpoints expecting JWTs, OAuth state parameters, webhook receiver payloads, or data ingestion APIs. The attacker crafts a Base64Url string that structurally violates the expected byte alignment, typically by utilizing an invalid length modulo or truncating the required padding parameters.

Upon transmitting this malformed payload over the network, the target application attempts to deserialize or decode the input. The vulnerable decoding loop executes, triggers the out-of-bounds read offset, and faults the process. An attacker can repeatedly issue this request to maintain a continuous Denial of Service state, preventing legitimate users from accessing the service.

The CVSS v3.1 vector for this vulnerability is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, resulting in a Base Score of 7.5. The impact is strictly isolated to the Availability metric. There is no evidence that the out-of-bounds read can be pivoted to achieve arbitrary code execution or to leak sensitive memory contents to the attacker.

Despite the lack of confidentiality or integrity impacts, the availability impact is severe. High-performance .NET web APIs utilizing EnhancedLinq.Async are highly susceptible to sudden termination. This abrupt termination drops all active connections, aborts in-flight transactions, and forces the application infrastructure into a continuous restart loop if an orchestration system (like Kubernetes) is managing the pods.

The widespread use of Base64Url encoding in modern web protocols (such as OpenID Connect and generic token passing) amplifies the likelihood of the vulnerable code path being reachable from untrusted network boundaries.

The definitive remediation for this vulnerability requires updating the vulnerable Microsoft.Bcl.Memory component. Since EnhancedLinq.Async inherits this vulnerability transitively, developers must explicitly override the dependency version if a pre-patched version of the primary package is not yet deployed.

Developers must update their project files (.csproj) to explicitly include Microsoft.Bcl.Memory version 9.0.14 or later. This forces the NuGet package manager to resolve the dependency graph using the secured version, bypassing the vulnerable version requested by EnhancedLinq.Async.

<ItemGroup>
  <PackageReference Include="Microsoft.Bcl.Memory" Version="9.0.14" />
</ItemGroup>

As a defense-in-depth measure, developers should implement pre-flight validation on all Base64Url inputs. Ensuring that input strings adhere strictly to length constraints and character sets before passing them to core decoding APIs can prevent malformed payloads from ever reaching the vulnerable code path.