Description
Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.
Published: 2026-05-14
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unchecked stack allocation occurs during DateTime decoding in Nerdbank.MessagePack versions prior to 1.1.62. A malicious payload that declares an oversized timestamp extension length forces the library to allocate an attacker‑controlled number of bytes on the stack, resulting in a StackOverflowException that cannot be caught by application code. The exception terminates the process, creating a denial‑of‑service condition. The flaw is a classic uncontrolled memory allocation problem, aligned with CWE‑789.

Affected Systems

Users of the Nerdbank.MessagePack library provided by AArnott are affected if they use any version earlier than 1.1.62. The security advisory applies to all platforms that support the library and any application that deserializes untrusted MessagePack data using these vulnerable versions.

Risk and Exploitability

With a CVSS score of 7.5, the vulnerability is rated high severity. EPSS is not available, and the issue is not listed in the CISA KEV catalog, suggesting no known large‑scale exploitation yet. Based on the description, it is inferred that an attacker can supply an oversized timestamp extension via external inputs if the application accepts untrusted MessagePack data from a network, file, or other source, forcing the library to allocate an attacker‑controlled number of bytes on the stack. Successful exploitation leads to a process crash and potential loss of availability for services dependent on that process.

Generated by OpenCVE AI on May 14, 2026 at 16:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Nerdbank.MessagePack to version 1.1.62 or later.
  • Apply input validation to restrict the length of timestamp extensions before decoding, or reject payloads that exceed expected bounds.
  • Deploy application health monitoring and automated restart mechanisms to recover from unexpected crashes, and run the application with the least privileges necessary.

Generated by OpenCVE AI on May 14, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2cwq-pwfr-wcw3 Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
History

Thu, 14 May 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 14 May 2026 15:15:00 +0000

Type Values Removed Values Added
Description Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.
Title Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
Weaknesses CWE-789
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-14T16:02:12.327Z

Reserved: 2026-05-05T20:15:20.631Z

Link: CVE-2026-44375

cve-icon Vulnrichment

Updated: 2026-05-14T16:02:08.172Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T15:16:48.383

Modified: 2026-05-14T18:19:25.260

Link: CVE-2026-44375

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-14T17:00:15Z

Weaknesses