Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.
Published: 2026-06-22
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

MessagePack-CSharp for C# contains a vulnerability where the multi‑dimensional array formatters read dimension lengths directly from the incoming payload and allocate a large array before verifying that the product of those dimensions matches the encoded element count. The formatter checks the element array header, but the actual memory allocation occurs prior to that validation. An attacker can craft a small payload that specifies huge dimensions, forcing the deserializer to allocate a big T[,,] or T[,,,] array, consuming large amounts of heap space before any element data is processed. This results in excessive memory usage which can degrade performance or exhaust system memory, leading to a denial of service. The weakness is classified as CWE‑770, a resource exhaustion flaw. No direct code execution is possible; the impact is limited to availability.

Affected Systems

The vulnerability affects the MessagePack-CSharp library provided by MessagePack-CSharp. Versions prior to 2.5.301 and 3.1.7 are susceptible. Any application that deserializes untrusted MessagePack data using these versions may be at risk.

Risk and Exploitability

The CVSS base score of 6.3 indicates a moderate severity. The EPSS score is not available, so the likelihood of exploitation cannot be quantified, but the attack vector is inferred to be remote (or local) whenever the library is used to process untrusted input; an attacker can send a malicious payload to trigger the memory allocation. The vulnerability is not listed in CISA’s KEV catalog. The exploit is straightforward once the attacker can provide the offending payload, and the consequence is a denial of service caused by memory exhaustion.

Generated by OpenCVE AI on June 22, 2026 at 23:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade MessagePack-CSharp to version 2.5.301 or later, or to 3.1.7 or later, which validate dimensions before allocation.
  • If an immediate upgrade is not possible, restrict deserialization of untrusted MessagePack data to a sandboxed environment or container with configured memory limits to prevent excessive allocation from affecting the host system.
  • Implement a pre‑validation that rejects multi‑dimensional array payloads with dimensions exceeding a defined safe limit before invoking the deserializer to mitigate potential denial of service.

Generated by OpenCVE AI on June 22, 2026 at 23:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-cxmj-83gh-fp49 MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions
History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Messagepack
Messagepack messagepack-csharp
Vendors & Products Messagepack
Messagepack messagepack-csharp

Tue, 23 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 22 Jun 2026 22:00:00 +0000

Type Values Removed Values Added
Description MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.
Title MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N'}


Subscriptions

Messagepack Messagepack-csharp
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-25T15:51:25.988Z

Reserved: 2026-05-21T16:18:10.618Z

Link: CVE-2026-48515

cve-icon Vulnrichment

Updated: 2026-06-23T12:58:10.966Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:07:25Z

Weaknesses
  • CWE-770

    Allocation of Resources Without Limits or Throttling