CVE-2026-48514

MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

Assigner: GitHub_M
Reserved: 21.05.2026 Published: 22.06.2026 Updated: 23.06.2026

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation. This vulnerability is fixed in 2.5.301 and 3.1.7.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	MessagePack-CSharp
Product	MessagePack-CSharp
Versions	Version >= 3.1.7, < 3.1.7 is affected Version < 2.5.301 is affected

Vendor

MessagePack-CSharp

Product

MessagePack-CSharp

Versions

Version >= 3.1.7, < 3.1.7 is affected
Version < 2.5.301 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-48514 PUBLISHED

MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

Metrics

Product Status

References

Problem Types