CVE-2026-48502 PUBLISHED

MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows

Assigner: GitHub_M
Reserved: 21.05.2026 Published: 22.06.2026 Updated: 23.06.2026

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.2

Product Status

Vendor MessagePack-CSharp
Product MessagePack-CSharp
Versions
  • Version >= 3.1.7, < 3.1.7 is affected
  • Version < 2.5.301 is affected

References

Problem Types

  • CWE-125: Out-of-bounds Read CWE
  • CWE-190: Integer Overflow or Wraparound CWE
  • CWE-407: Inefficient Algorithmic Complexity CWE
  • CWE-409: Improper Handling of Highly Compressed Data (Data Amplification) CWE
  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE
  • CWE-502: Deserialization of Untrusted Data CWE
  • CWE-674: Uncontrolled Recursion CWE
  • CWE-789: Memory Allocation with Excessive Size Value CWE
  • CWE-1188: Insecure Default Initialization of Resource CWE