Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MessagePack-CSharp’s ReadDateTime method allocates stack memory using an attacker‑controlled extension length before validating that length against acceptable timestamp sizes. A crafted payload can therefore force a stackalloc that exceeds the call stack, triggering a StackOverflowException that crashes the host process. The result is a denial of service with potential CPU exhaustion if the stack is repeatedly over‑allocated by a very small payload. The flaw is a classic unbounded stack allocation and unchecked extension handling, identified as multiple CWEs including unbounded bounds checks and integer overflows.

Affected Systems

The vulnerability affects the MessagePack-CSharp library for .NET prior to version 2.5.301 and before version 3.1.7. Any application that deserializes MessagePack data using ReadDateTime on those releases is at risk.

Risk and Exploitability

The CVSS score is 8.2, indicating high severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is sending a malicious MessagePack payload to an application that trusts or accepts untrusted serialized data. If the library is used in a network-facing service, remote exploitation is feasible; local exploitation also works if an attacker can supply data to the deserializer. The conditions are minimal, requiring only that ReadDateTime be invoked on crafted data, with no privilege escalation needed.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the MessagePack‑CSharp library to version 2.5.301 or newer, or 3.1.7 or newer, where the bounds check has been fixed.
  • If an immediate upgrade is not possible, add a pre‑validation check that rejects MessagePack extensions larger than the maximum allowed timestamp size before calling ReadDateTime; consider rejecting or sanitizing the data entirely.
  • Ensure that any untrusted data is processed in a bounded or sandboxed environment, and if feasible, disable timestamp extension parsing or limit its use to trusted contexts.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: Denial of service vulnerabilities can swamp the CPU or crash the process with stack and heap overflows
Weaknesses CWE-1188
CWE-125
CWE-190
CWE-407
CWE-409
CWE-470
CWE-502
CWE-674
CWE-789
References
Metrics cvssV4_0

{'score': 8.2, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-22T21:18:29.190Z

Reserved: 2026-05-21T15:33:08.293Z

Link: CVE-2026-48502

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses
  • CWE-1188

    Initialization of a Resource with an Insecure Default

  • CWE-125

    Out-of-bounds Read

  • CWE-190

    Integer Overflow or Wraparound

  • CWE-407

    Inefficient Algorithmic Complexity

  • CWE-409

    Improper Handling of Highly Compressed Data (Data Amplification)

  • CWE-470

    Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

  • CWE-502

    Deserialization of Untrusted Data

  • CWE-674

    Uncontrolled Recursion

  • CWE-789

    Memory Allocation with Excessive Size Value