Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MessagePack-CSharp’s ReadDateTime method allocates stack memory using an attacker‑controlled extension length before validating that length against acceptable timestamp sizes. A crafted payload can therefore force a stackalloc that exceeds the call stack, triggering a StackOverflowException that crashes the host process. The result is a denial of service with potential CPU exhaustion if the stack is repeatedly over‑allocated by a very small payload. The flaw is a classic unbounded stack allocation and unchecked extension handling, identified as multiple CWEs including unbounded bounds checks and integer overflows.

Affected Systems

The vulnerability affects the MessagePack-CSharp library for .NET prior to version 2.5.301 and before version 3.1.7. Any application that deserializes MessagePack data using ReadDateTime on those releases is at risk.

Risk and Exploitability

The CVSS score is 8.2, indicating high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is sending a malicious MessagePack payload to an application that trusts or accepts untrusted serialized data. If the library is used in a network-facing service, remote exploitation is feasible; local exploitation also works if an attacker can supply data to the deserializer. The conditions are minimal, requiring only that ReadDateTime be invoked on crafted data, with no privilege escalation needed.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MessagePack‑CSharp library to version 2.5.301 or newer, or 3.1.7 or newer, where the bounds check has been fixed.
  • If an immediate upgrade is not possible, add a pre‑validation check that rejects MessagePack extensions larger than the maximum allowed timestamp size before calling ReadDateTime; consider rejecting or sanitizing the data entirely.
  • Ensure that any untrusted data is processed in a bounded or sandboxed environment, and if feasible, disable timestamp extension parsing or limit its use to trusted contexts.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-382j-8mxh-c7x2 MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Messagepack
Messagepack messagepack-csharp
Vendors & Products Messagepack
Messagepack messagepack-csharp

Tue, 23 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
Weaknesses CWE-1188
CWE-125
CWE-190
CWE-407
CWE-409
CWE-470
CWE-502
CWE-674
CWE-789
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}


Subscriptions

Messagepack Messagepack-csharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-23T15:05:33.595Z

Reserved: 2026-05-21T15:33:08.293Z

Link: CVE-2026-48502

cve-icon Vulnrichment

Updated: 2026-06-23T14:58:33.427Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:14Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-125

    Out-of-bounds Read

  • CWE-190

    Integer Overflow or Wraparound

  • CWE-407

    Inefficient Algorithmic Complexity

  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)

  • CWE-470

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-502

    Deserialization of Untrusted Data

  • CWE-674

    Uncontrolled Recursion

  • CWE-789

    Memory Allocation with Excessive Size Value