CVE-2026-48515

MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions

Assigner: GitHub_M
Reserved: 21.05.2026 Published: 22.06.2026 Updated: 23.06.2026

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	MessagePack-CSharp
Product	MessagePack-CSharp
Versions	Version >= 3.1.7, < 3.1.7 is affected Version < 2.5.301 is affected

Vendor

MessagePack-CSharp

Product

MessagePack-CSharp

Versions

Version >= 3.1.7, < 3.1.7 is affected
Version < 2.5.301 is affected

References

Problem Types

CWE-770: Allocation of Resources Without Limits or Throttling CWE

CVE-2026-48515 PUBLISHED

MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions

Metrics

Product Status

References

Problem Types