CVE-2026-48502

Summary

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

Affected Software

VendorProductVersion RangeStatus
MessagePack-CSharpMessagePack-CSharp>= 3.1.7, < 3.1.7affected
MessagePack-CSharpMessagePack-CSharp< 2.5.301affected

Weaknesses

  • CWE-125: CWE-125: Out-of-bounds Read
  • CWE-190: CWE-190: Integer Overflow or Wraparound
  • CWE-407: CWE-407: Inefficient Algorithmic Complexity
  • CWE-409: CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
  • CWE-470: CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')
  • CWE-502: CWE-502: Deserialization of Untrusted Data
  • CWE-674: CWE-674: Uncontrolled Recursion
  • CWE-789: CWE-789: Memory Allocation with Excessive Size Value
  • CWE-1188: CWE-1188: Insecure Default Initialization of Resource

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References