Appearance
MET-2026-001
Snappier (CVE-2026-44302)
Skip to content
| Bulletin ID | MET-2026-001 |
|---|---|
| Date (published) | 2026-05-07T00:00:00.000Z |
| Date (last updated) | 2026-05-07T00:00:00.000Z |
| Severity | Informational |
Description
On May 6th, 2026, a vulnerability was published on Snappier, a managed C# port of the Snappy compression library. Snappier.SnappyStream enters an uncatchable infinite loop when decompressing a malformed framed-format Snappy stream as small as 15 bytes. The hang manifests as a userspace busy loop that cannot be recovered from via exception handling.
Affected Products/Services
Metaplay infrastructure and product are not affected by this vulnerability.
- MetaplaySDK does not perform Snappy decompression. Snappier is included only as a transitive dependency of
IronCompress.
Impact
None.
Solution
As MetaplaySDK is not affected, no action is required. The vulnerable transitive Snappier can be overridden with the patched version by adding the following entry to the project file. This is useful only to silence the NU1903 build warning emitted by NuGet's security audit. The patch has been tested to apply to MetaplaySDK versions 35 and 36.
MetaplaySDK/Backend/Cloud/Metaplay.Cloud.csproj
diff
<PackageReference Include="IronCompress" Version="1.6.3" />
+ <!-- Override the transitive Snappier (CVE-2026-44302) with the patched version. -->
+ <PackageReference Include="Snappier" Version="1.3.1" NoWarn="NU1510" />CVE and CVSS Information
References
Contact Information
Security-related questions or concerns can be sent to security@metaplay.io.
Revision History
| Date | Description |
|---|---|
| 2026-05-07 | Security Bulletin released |