CVE-2026-48516

MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings

Assigner: GitHub_M
Reserved: 21.05.2026 Published: 22.06.2026 Updated: 23.06.2026

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping\<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
CVSS Score: 6.3

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Network	Confidentiality	None	Confidentiality	None
Attack Complexity	High	Integrity	None	Integrity	None
Attack Requirements	Present	Availability	Low	Availability	None
Privileges Required	None
User Interaction	None

CVSS 4.0

Product Status

Vendor	MessagePack-CSharp
Product	MessagePack-CSharp
Versions	Version >= 3.1.7, < 3.1.7 is affected Version < 2.5.301 is affected

Vendor

MessagePack-CSharp

Product

MessagePack-CSharp

Versions

Version >= 3.1.7, < 3.1.7 is affected
Version < 2.5.301 is affected

References

Problem Types

CWE-407: Inefficient Algorithmic Complexity CWE

CVE-2026-48516 PUBLISHED

MessagePack-CSharp: InterfaceLookupFormatter bypasses collision-resistant comparer settings

Metrics

Product Status

References

Problem Types