CVE-2026-48109 - Vulnerability Details

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7.

Published: 2026-06-22

Score: 8.2 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

A malformed MessagePack payload can cause out‑of‑bounds reads in the LZ4 decompression path of MessagePack-CSharp. The vulnerable implementation ignores the source‑length bound, allowing a remote attacker to craft token/length fields that trigger an AccessViolationException, which terminates the process. Under certain circumstances a brief unintended memory disclosure is also possible before failure.

Affected Systems

The vulnerability exists in MessagePack-CSharp versions prior to 2.5.301 and 3.1.7. Applications that reference the MessagePack serializer for C# and enable Lz4Block or Lz4BlockArray compression modes are susceptible.

Risk and Exploitability

With a CVSS score of 8.2 the vulnerability is considered high severity. The EPSS score is not available and it is not listed in the CISA KEV catalog. A remote attacker can inject a crafted MessagePack payload over any network channel that the application accepts. Because the attack relies on deserialization of untrusted data, the attack vector is network‑based. Successful exploitation results in process termination and possible limited memory disclosure, making it a valuable tool for denial of service attacks against services using the affected library.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MessagePack-CSharp

affected

Version	Status	Constraints
`>= 3.1.7, < 3.1.7`	affected	—
`< 2.5.301`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Update MessagePack-CSharp to version 2.5.301 or 3.1.7, or later, via your package manager or re‑building your project
Configure your application to disable or remove Lz4Block and Lz4BlockArray compression modes if they are not required
Validate incoming MessagePack data and enforce strict length checks before invoking the decompression routine to mitigate the risk of malformed payloads

Generated by OpenCVE AI on June 22, 2026 at 23:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hv8m-jj95-wg3x	MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x

History

Mon, 22 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title		MessagePack-CSharp: LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input
Weaknesses		CWE-20
References		https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x
Metrics		cvssV3_1 `{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T21:19:54.234Z

Updated: 2026-06-22T21:19:54.234Z

Reserved: 2026-05-20T18:46:58.287Z

Link: CVE-2026-48109

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses

CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object