{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/nuget/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Snappier (\u003c= 1.3.0)"],"_cs_severities":["medium"],"_cs_tags":["denial-of-service","compression","infinite-loop"],"_cs_type":"advisory","_cs_vendors":["NuGet"],"content_html":"\u003cp\u003eThe Snappier library, specifically the \u003ccode\u003eSnappyStream\u003c/code\u003e class, is susceptible to a denial-of-service vulnerability when decompressing malformed Snappy streams in framed format. An attacker who can control the input to the \u003ccode\u003eSnappyStream\u003c/code\u003e decompression process can trigger an infinite loop, leading to excessive CPU consumption and thread exhaustion. This issue affects applications using Snappier version 1.3.0 and earlier. The vulnerability stems from an unhandled condition in the decompression logic, causing the \u003ccode\u003eSnappyStreamDecompressor.Decompress\u003c/code\u003e method to repeatedly call \u003ccode\u003eCrc32CAlgorithm.Append\u003c/code\u003e without termination. Standard exception handling mechanisms (try/catch blocks) are ineffective in preventing the hang, making it difficult to mitigate without terminating the affected process.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker crafts a malformed Snappy compressed data stream (as small as 15 bytes).\u003c/li\u003e\n\u003cli\u003eThe attacker sends this malformed stream to a service or application using the Snappier library for decompression.\u003c/li\u003e\n\u003cli\u003eThe application instantiates a \u003ccode\u003eSnappyStream\u003c/code\u003e object with \u003ccode\u003eCompressionMode.Decompress\u003c/code\u003e to handle the incoming data stream.\u003c/li\u003e\n\u003cli\u003eThe application calls \u003ccode\u003eCopyTo()\u003c/code\u003e or a similar method on the \u003ccode\u003eSnappyStream\u003c/code\u003e to decompress the data.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSnappyStreamDecompressor.Decompress\u003c/code\u003e method is invoked internally.\u003c/li\u003e\n\u003cli\u003eDue to the malformed input, an infinite loop occurs within \u003ccode\u003eSnappyStreamDecompressor.Decompress\u003c/code\u003e involving repeated calls to \u003ccode\u003eCrc32CAlgorithm.Append\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eA single CPU core is consumed at 100% by the affected thread.\u003c/li\u003e\n\u003cli\u003eThe application hangs indefinitely, requiring termination to recover.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability results in a denial-of-service condition. An attacker can remotely trigger the infinite loop by sending malicious data to any application that utilizes the vulnerable \u003ccode\u003eSnappier.SnappyStream\u003c/code\u003e for decompression. This can lead to resource exhaustion, application unavailability, and potentially impact other services relying on the same system. Since the \u003ccode\u003etry/catch\u003c/code\u003e doesn\u0026rsquo;t work, the service will remain inoperable until manually restarted.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to a patched version of the Snappier library that addresses CVE-2026-44302.\u003c/li\u003e\n\u003cli\u003eImplement input validation and sanitization on data streams prior to decompression using \u003ccode\u003eSnappier.SnappyStream\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eMonitor CPU usage for processes utilizing the Snappier library. Deploy the process monitoring rule below to detect potential exploitation attempts based on high CPU usage.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T20:53:23Z","date_published":"2026-05-06T20:53:23Z","id":"/briefs/2026-05-snappier-dos/","summary":"Snappier versions 1.3.0 and earlier are vulnerable to a denial-of-service condition where a malformed Snappy stream input to `SnappyStream` decompression causes an infinite loop, consuming a thread until the process is terminated.","title":"Snappier SnappyStream Decompression Infinite Loop Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-05-snappier-dos/"},{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["Nerdbank.MessagePack (\u003c 1.1.62)"],"_cs_severities":["high"],"_cs_tags":["denial-of-service","stack-overflow","messagepack"],"_cs_type":"advisory","_cs_vendors":["NuGet"],"content_html":"\u003cp\u003eNerdbank.MessagePack versions prior to 1.1.62 are vulnerable to an uncontrolled stack allocation vulnerability. This flaw allows an attacker to craft a malicious MessagePack payload that declares an oversized timestamp extension length. When the application attempts to deserialize this payload and encounters a \u003ccode\u003eDateTime\u003c/code\u003e value, the reader allocates an attacker-controlled number of bytes on the stack. This excessive allocation results in a \u003ccode\u003eStackOverflowException\u003c/code\u003e, causing the application to terminate. This vulnerability impacts applications that deserialize MessagePack data from untrusted sources and can lead to denial-of-service conditions. Defenders should prioritize patching or implementing workarounds to mitigate this risk.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAttacker crafts a malicious MessagePack payload with an invalid timestamp extension length (not 4, 8, or 12 bytes).\u003c/li\u003e\n\u003cli\u003eThe target application receives the malicious MessagePack payload from an untrusted source.\u003c/li\u003e\n\u003cli\u003eThe application attempts to deserialize the MessagePack data using Nerdbank.MessagePack.\u003c/li\u003e\n\u003cli\u003eDuring deserialization, the \u003ccode\u003eDateTime\u003c/code\u003e decoder encounters the malicious timestamp extension.\u003c/li\u003e\n\u003cli\u003eThe decoder derives \u003ccode\u003etokenSize\u003c/code\u003e from the attacker-controlled extension length \u003cem\u003ebefore\u003c/em\u003e validating its size.\u003c/li\u003e\n\u003cli\u003eThe unvalidated size is used in a \u003ccode\u003estackalloc\u003c/code\u003e on the streaming reader\u0026rsquo;s slow path, allocating an excessive amount of stack memory.\u003c/li\u003e\n\u003cli\u003eThe excessive stack allocation triggers a \u003ccode\u003eStackOverflowException\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eStackOverflowException\u003c/code\u003e terminates the application process, resulting in a denial of service.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability leads to a denial-of-service condition due to process termination. The vulnerability affects applications deserializing MessagePack data from untrusted sources, particularly those handling long-running processes such as services, APIs, workers, or message consumers. Even small malicious payloads can trigger the vulnerability due to the attacker-controlled extension length. This could potentially disrupt critical business functions relying on affected applications.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade to Nerdbank.MessagePack version 1.1.62 or later to remediate the vulnerability.\u003c/li\u003e\n\u003cli\u003eImplement pre-validation of MessagePack extension headers, rejecting timestamp extensions with lengths other than 4, 8, or 12 bytes, as suggested in the advisory [GHSA-2cwq-pwfr-wcw3].\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u0026ldquo;Nerdbank MessagePack Suspicious Stack Allocation\u0026rdquo; to detect potential exploitation attempts in your environment.\u003c/li\u003e\n\u003cli\u003eIf immediate patching is not feasible, consider running deserialization of untrusted payloads in isolated processes that can be safely restarted, as described in [GHSA-2cwq-pwfr-wcw3].\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-26T12:00:00Z","date_published":"2024-01-26T12:00:00Z","id":"/briefs/2024-01-nerdbank-stack-overflow/","summary":"A malicious MessagePack payload can trigger a StackOverflowException in Nerdbank.MessagePack due to an uncontrolled stack allocation when decoding DateTime values with oversized timestamp extension lengths, leading to process termination.","title":"Nerdbank.MessagePack DateTime Decoding Stack Overflow Vulnerability","url":"https://feed.craftedsignal.io/briefs/2024-01-nerdbank-stack-overflow/"}],"language":"en","title":"CraftedSignal Threat Feed — NuGet","version":"https://jsonfeed.org/version/1.1"}