GHSA-32wq-ppwg-3w4m
HIGHEnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory
Blast Radius
EnhancedLinq.AsyncReal-time download stats are indexed for npm and PyPI packages. This vulnerability affects NuGet packages — download data is not available via public APIs for these ecosystems.
Description
Impact
Microsoft.Bcl.Memory, a transitive dependency of EnhancedLinq.Async, had a Denial of Service security vulnerability, CVE-2026-26127, thus affecting EnhancedLinq.Async versions that had vulnerable versions of Microsoft.Bcl.Memory as a transitive dependency.
Patches
EnhancedLinq.Async 1.0.0 Beta 3 updates the dependency on System.Linq.AsyncEnumerable to version 10.0.4 or newer which in turn updates the transitive dependency on Microsoft.Bcl.Memory from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.
Workarounds
No workarounds exist for this vulnerability.
How to fix the issue
To update the EnhancedLinq.Async NuGet package, use one of the following methods:
NuGet Package Manager UI in Visual Studio:
- Open the project in Visual Studio.
- Right-click on the project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages".
- In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from configured package sources.
- Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected.
- Click the "Update" button.
Using the NuGet Package Manager Console in Visual Studio:
- Open the project in Visual Studio.
- Navigate to "Tools > NuGet Package Manager > Package Manager Console".
- To update a specific package to its latest version, use the following Update-Package command:
Update-Package -Id EnhancedLinq.Async
Using the .NET CLI (Command Line Interface):
- Open a terminal or command prompt in the project's directory.
- To update a specific package to its latest version, use the following add package command:
dotnet package update EnhancedLinq.Async
Once the NuGet package reference has been updated, the application must be recompiled and redeployed.
Affected Packages
| Ecosystem | Package | Vulnerable range | Fix |
|---|---|---|---|
| .NETNuGet | EnhancedLinq.Async | ≥ 1.0.0-beta.1&&< 1.0.0-beta.3 | 1.0.0-beta.3 |
Detection & mitigation playbook
Open-source dependencyDetect
Scan your dependency tree (package-lock.json, pnpm-lock.yaml, requirements.txt, go.sum, etc.) for EnhancedLinq.Async. O3's reachability analysis confirms whether the vulnerable code path is actually invoked in your application, so you act on real exposure instead of every transitive match.
Fix
Update EnhancedLinq.Async to 1.0.0-beta.3 or later, then make sure no transitive (indirect) dependency still pins the vulnerable range — O3 confirms GHSA-32wq-ppwg-3w4m is resolved across your whole dependency graph.
Workarounds
If you can't upgrade right away: gate or disable the affected feature, validate untrusted input at the boundary, and avoid passing attacker-controlled data into the vulnerable path. O3's runtime protection blocks exploitation in production as an interim safeguard until the upgrade lands.
How O3 protects you
O3 pinpoints whether GHSA-32wq-ppwg-3w4m is reachable in your code and exactly where to fix it, then blocks exploitation in production at runtime until the patched version is deployed.
Tailored to GHSA-32wq-ppwg-3w4m. Runtime protection reduces exposure until a permanent patch is applied and verified — it complements patching, it doesn't replace it.
Frequently Asked Questions
Is GHSA-32wq-ppwg-3w4m in your dependencies?
O3 detects GHSA-32wq-ppwg-3w4m across NuGet dependencies and uses function-level reachability to confirm whether the vulnerable code path is actually reachable — not just present. No false positives.