CVE-2026-48506 - Vulnerability Details

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.

Published: 2026-06-22

Score: 7.5 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

MessagePack-CSharp’s MessagePackReader.TrySkip method can recursively descend into nested arrays and maps without incrementing the reader depth or invoking the configured depth checks. The bypass of MessagePackSecurity.MaximumObjectGraphDepth allows an attacker to send deeply nested data that forces the parser into unbounded recursion, which inevitably results in a StackOverflowException that crashes the process. This vulnerability does not provide direct code execution but causes denial of service by terminating the application.

Affected Systems

The bug affects MessagePack-CSharp library versions earlier than 2.5.301 and 3.1.7. Applications using these versions to deserialize MessagePack payloads—particularly those that accept user‑supplied data—are susceptible.

Risk and Exploitability

The CVSS score is 7.5, indicating a high severity. No EPSS score is available, and the issue is not listed in CISA’s KEV catalog. The exploitation requires the ability to supply crafted MessagePack data to the vulnerable application, a situation common in services that expose MessagePack endpoints. Once the data is processed, the application will crash without any mitigation from the library itself. The most likely attack vector is through inbound network or API calls that include MessagePack content.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

MessagePack-CSharp

affected

Version	Status	Constraints
`>= 3.1.7, < 3.1.7`	affected	—
`< 2.5.301`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade MessagePack-CSharp to version 2.5.301 or later (or 3.1.7 or later) to apply the vendor patch that enforces maximum depth checks during Skip operations.
If upgrading is not immediately possible, modify the application to avoid calling TrySkip on unknown or untrusted fields, or implement custom logic that validates the depth of nested structures before processing.
Implement application‑level monitoring or a watchdog that detects StackOverflowExceptions and restarts the service, to reduce the impact of a potential crash while a patch is applied.

Generated by OpenCVE AI on June 22, 2026 at 23:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf

History

Mon, 22 Jun 2026 22:00:00 +0000

Type	Values Removed	Values Added
Description		MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title		MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth
Weaknesses		CWE-674
References		https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf
Metrics		cvssV3_1 `{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-22T21:17:35.305Z

Updated: 2026-06-22T21:17:35.305Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48506

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-22T23:30:05Z

Weaknesses

CWE-674
Uncontrolled Recursion

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact None

Integrity Impact None

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object