Publish GHSA-32wq-ppwg-3w4m

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-32wq-ppwg-3w4m/GHSA-32wq-ppwg-3w4m.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-32wq-ppwg-3w4m",
+  "modified": "2026-04-01T23:57:06Z",
+  "published": "2026-04-01T23:57:06Z",
+  "aliases": [],
+  "summary": "EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory",
+  "details": "### Impact\n`Microsoft.Bcl.Memory`, a transitive dependency of `EnhancedLinq.Async`, had a Denial of Service security vulnerability, [CVE-2026-26127](https://github.com/dotnet/announcements/issues/384), thus affecting `EnhancedLinq.Async` versions that had vulnerable versions of `Microsoft.Bcl.Memory` as a transitive dependency.\n\n### Patches\n`EnhancedLinq.Async` 1.0.0 Beta 3 updates the dependency on `System.Linq.AsyncEnumerable` to version 10.0.4 or newer which in turn updates the transitive dependency on `Microsoft.Bcl.Memory` from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.\n\n### Workarounds\nNo workarounds exist for this vulnerability.\n\n### How to fix the issue\n\nTo update the `EnhancedLinq.Async` NuGet package, use one of the following methods:\n\n**NuGet Package Manager UI in Visual Studio:**\n- Open the project in Visual Studio.\n- Right-click on the project in Solution Explorer and select \"Manage NuGet Packages...\" or navigate to \"Project > Manage NuGet Packages\".\n- In the NuGet Package Manager window, select the \"Updates\" tab. This tab lists packages with available updates from configured package sources.\n- Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected.\n- Click the \"Update\" button.\n\n**Using the NuGet Package Manager Console in Visual Studio:**\n- Open the project in Visual Studio.\n- Navigate to \"Tools > NuGet Package Manager > Package Manager Console\".\n- To update a specific package to its latest version, use the following Update-Package command:\n\n```\nUpdate-Package -Id EnhancedLinq.Async\n```\n\n**Using the .NET CLI (Command Line Interface):**\n- Open a terminal or command prompt in the project's directory.\n- To update a specific package to its latest version, use the following add package command:\n\n```\ndotnet package update EnhancedLinq.Async\n```\n\nOnce the NuGet package reference has been updated, the application must be recompiled and redeployed.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "EnhancedLinq.Async"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0-beta.1"
+            },
+            {
+              "fixed": "1.0.0-beta.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/alastairlundy/EnhancedLinq/security/advisories/GHSA-32wq-ppwg-3w4m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dotnet/announcements/issues/384"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/alastairlundy/EnhancedLinq"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cve.org/CVERecord?id=CVE-2026-26127"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-129",
+      "CWE-1395"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T23:57:06Z",
+    "nvd_published_at": null
+  }
+}