{"id":"GHSA-32wq-ppwg-3w4m","summary":"EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory","details":"### Impact\n`Microsoft.Bcl.Memory`, a transitive dependency of `EnhancedLinq.Async`, had a Denial of Service security vulnerability, [CVE-2026-26127](https://github.com/dotnet/announcements/issues/384), thus affecting `EnhancedLinq.Async` versions that had vulnerable versions of `Microsoft.Bcl.Memory` as a transitive dependency.\n\n### Patches\n`EnhancedLinq.Async` 1.0.0 Beta 3 updates the dependency on `System.Linq.AsyncEnumerable` to version 10.0.4 or newer which in turn updates the transitive dependency on `Microsoft.Bcl.Memory` from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.\n\n### Workarounds\nNo workarounds exist for this vulnerability.\n\n### How to fix the issue\n\nTo update the `EnhancedLinq.Async` NuGet package, use one of the following methods:\n\n**NuGet Package Manager UI in Visual Studio:**\n- Open the project in Visual Studio.\n- Right-click on the project in Solution Explorer and select \"Manage NuGet Packages...\" or navigate to \"Project \u003e Manage NuGet Packages\".\n- In the NuGet Package Manager window, select the \"Updates\" tab. This tab lists packages with available updates from configured package sources.\n- Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected.\n- Click the \"Update\" button.\n\n**Using the NuGet Package Manager Console in Visual Studio:**\n- Open the project in Visual Studio.\n- Navigate to \"Tools \u003e NuGet Package Manager \u003e Package Manager Console\".\n- To update a specific package to its latest version, use the following Update-Package command:\n\n```\nUpdate-Package -Id EnhancedLinq.Async\n```\n\n**Using the .NET CLI (Command Line Interface):**\n- Open a terminal or command prompt in the project's directory.\n- To update a specific package to its latest version, use the following add package command:\n\n```\ndotnet package update EnhancedLinq.Async\n```\n\nOnce the NuGet package reference has been updated, the application must be recompiled and redeployed.","modified":"2026-04-02T13:14:16.912694Z","published":"2026-04-01T23:57:06Z","database_specific":{"github_reviewed_at":"2026-04-01T23:57:06Z","severity":"HIGH","github_reviewed":true,"nvd_published_at":null,"cwe_ids":["CWE-129","CWE-1395"]},"references":[{"type":"WEB","url":"https://github.com/alastairlundy/EnhancedLinq/security/advisories/GHSA-32wq-ppwg-3w4m"},{"type":"WEB","url":"https://github.com/dotnet/announcements/issues/384"},{"type":"PACKAGE","url":"https://github.com/alastairlundy/EnhancedLinq"},{"type":"WEB","url":"https://www.cve.org/CVERecord?id=CVE-2026-26127"}],"affected":[{"package":{"name":"EnhancedLinq.Async","ecosystem":"NuGet","purl":"pkg:nuget/EnhancedLinq.Async"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.0.0-beta.1"},{"fixed":"1.0.0-beta.3"}]}],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-32wq-ppwg-3w4m/GHSA-32wq-ppwg-3w4m.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}