GHSA-32WQ-PPWG-3W4M
Vulnerability from github – Published: 2026-04-01 23:57 – Updated: 2026-04-01 23:57Impact
Microsoft.Bcl.Memory, a transitive dependency of EnhancedLinq.Async, had a Denial of Service security vulnerability, CVE-2026-26127, thus affecting EnhancedLinq.Async versions that had vulnerable versions of Microsoft.Bcl.Memory as a transitive dependency.
Patches
EnhancedLinq.Async 1.0.0 Beta 3 updates the dependency on System.Linq.AsyncEnumerable to version 10.0.4 or newer which in turn updates the transitive dependency on Microsoft.Bcl.Memory from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.
Workarounds
No workarounds exist for this vulnerability.
How to fix the issue
To update the EnhancedLinq.Async NuGet package, use one of the following methods:
NuGet Package Manager UI in Visual Studio: - Open the project in Visual Studio. - Right-click on the project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages". - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from configured package sources. - Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected. - Click the "Update" button.
Using the NuGet Package Manager Console in Visual Studio: - Open the project in Visual Studio. - Navigate to "Tools > NuGet Package Manager > Package Manager Console". - To update a specific package to its latest version, use the following Update-Package command:
Update-Package -Id EnhancedLinq.Async
Using the .NET CLI (Command Line Interface): - Open a terminal or command prompt in the project's directory. - To update a specific package to its latest version, use the following add package command:
dotnet package update EnhancedLinq.Async
Once the NuGet package reference has been updated, the application must be recompiled and redeployed.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "EnhancedLinq.Async"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-beta.1"
},
{
"fixed": "1.0.0-beta.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-129",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:57:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n`Microsoft.Bcl.Memory`, a transitive dependency of `EnhancedLinq.Async`, had a Denial of Service security vulnerability, [CVE-2026-26127](https://github.com/dotnet/announcements/issues/384), thus affecting `EnhancedLinq.Async` versions that had vulnerable versions of `Microsoft.Bcl.Memory` as a transitive dependency.\n\n### Patches\n`EnhancedLinq.Async` 1.0.0 Beta 3 updates the dependency on `System.Linq.AsyncEnumerable` to version 10.0.4 or newer which in turn updates the transitive dependency on `Microsoft.Bcl.Memory` from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.\n\n### Workarounds\nNo workarounds exist for this vulnerability.\n\n### How to fix the issue\n\nTo update the `EnhancedLinq.Async` NuGet package, use one of the following methods:\n\n**NuGet Package Manager UI in Visual Studio:**\n- Open the project in Visual Studio.\n- Right-click on the project in Solution Explorer and select \"Manage NuGet Packages...\" or navigate to \"Project \u003e Manage NuGet Packages\".\n- In the NuGet Package Manager window, select the \"Updates\" tab. This tab lists packages with available updates from configured package sources.\n- Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected.\n- Click the \"Update\" button.\n\n**Using the NuGet Package Manager Console in Visual Studio:**\n- Open the project in Visual Studio.\n- Navigate to \"Tools \u003e NuGet Package Manager \u003e Package Manager Console\".\n- To update a specific package to its latest version, use the following Update-Package command:\n\n```\nUpdate-Package -Id EnhancedLinq.Async\n```\n\n**Using the .NET CLI (Command Line Interface):**\n- Open a terminal or command prompt in the project\u0027s directory.\n- To update a specific package to its latest version, use the following add package command:\n\n```\ndotnet package update EnhancedLinq.Async\n```\n\nOnce the NuGet package reference has been updated, the application must be recompiled and redeployed.",
"id": "GHSA-32wq-ppwg-3w4m",
"modified": "2026-04-01T23:57:06Z",
"published": "2026-04-01T23:57:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/alastairlundy/EnhancedLinq/security/advisories/GHSA-32wq-ppwg-3w4m"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/announcements/issues/384"
},
{
"type": "PACKAGE",
"url": "https://github.com/alastairlundy/EnhancedLinq"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.