PatchSiren cyber security CVE debrief
CVE-2026-44302 brantburnett CVE debrief
A denial-of-service vulnerability exists in Snappier, a high-performance C# implementation of the Snappy compression algorithm. Versions prior to 1.3.1 are affected by an uncatchable infinite loop that triggers when decompressing malformed framed-format Snappy streams. The vulnerability can be exploited with input as small as 15 bytes, making it trivial to trigger. The CVSS 3.1 score of 7.5 (HIGH) reflects network attack vector, low attack complexity, no required privileges or user interaction, and high availability impact. The root cause is classified under CWE-835 (Loop with Unreachable Exit Condition). The vulnerability was disclosed via GitHub Security Advisory and published to NVD on May 12, 2026, with subsequent modification on May 18, 2026.
- Vendor
- brantburnett
- Product
- Snappier
- CVSS
- HIGH 7.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-12
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-12
- Advisory updated
- 2026-05-18
Who should care
Organizations using Snappier library for Snappy compression in .NET applications, particularly those exposing decompression of untrusted data streams via network-facing services or file upload handlers.
Technical summary
Snappier.SnappyStream in versions prior to 1.3.1 enters an uncatchable infinite loop when processing malformed framed-format Snappy streams. The vulnerability is triggered by crafted input as small as 15 bytes, resulting in complete CPU exhaustion and denial of service. The issue stems from improper loop control logic (CWE-835) during stream decompression. No authentication or user interaction is required for exploitation. The fix in version 1.3.1 addresses the loop exit condition to prevent indefinite execution.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade Snappier to version 1.3.1 or later to remediate the infinite loop vulnerability.
- Review applications using Snappier.SnappyStream for untrusted input handling and implement input validation where possible.
- Monitor for anomalous CPU consumption patterns that may indicate exploitation attempts against SnappyStream decompression endpoints.
- If immediate patching is not feasible, consider implementing resource limits or timeouts on decompression operations as a temporary mitigation.
Evidence notes
Official CVE record published 2026-05-12; modified 2026-05-18. GitHub Security Advisory GHSA-pggp-6c3x-2xmx confirms fix in version 1.3.1. CVSS 3.1 vector: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H. CWE-835 identified as weakness type.
Official resources
-
CVE-2026-44302 CVE record
CVE.org
-
CVE-2026-44302 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-12T22:16:36.997Z