GHSA-rrjr-v56m-ww88

Source

https://github.com/advisories/GHSA-rrjr-v56m-ww88

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rrjr-v56m-ww88/GHSA-rrjr-v56m-ww88.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-rrjr-v56m-ww88

Aliases

CVE-2026-42241

Published

2026-04-24T16:39:55Z

Modified

2026-05-11T13:52:22.711625Z

Severity

5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L CVSS Calculator

Summary

ParquetSharp: Possible Stack Overflow When Reading a ParquetFile with Large Decimal Type Width

Details

DecimalConverter.ReadDecimal makes a stackalloc using what might be an attacker-supplied value. If an attacker declares a decimal column with some unreasonable width, this could lead to a stack overflow. In a service environment, this would potentially take down a service.

This affects applications using ParquetSharp to read untrusted Parquet files in a network service.

Database specific

{
    "github_reviewed_at": "2026-04-24T16:39:55Z",
    "cwe_ids": [
        "CWE-789"
    ],
    "github_reviewed": true,
    "severity": "MODERATE",
    "nvd_published_at": "2026-05-07T20:16:44Z"
}

References

Affected packages

NuGet / ParquetSharp

Package

Name: ParquetSharp; View open source insights on deps.dev
Purl: pkg:nuget/ParquetSharp

Affected ranges

Type: ECOSYSTEM
Events: Introduced

18.1.0

Fixed

23.0.0.1

Affected versions

18.*

18.1.0

19.*

19.0.1-beta1

19.0.1

20.*

20.0.0-beta1

20.0.0-beta2

20.0.0

21.*

21.0.0-beta1

21.0.0

23.*

23.0.0-beta1

23.0.0

Database specific

source

"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-rrjr-v56m-ww88/GHSA-rrjr-v56m-ww88.json"