CVE-2026-48510

Summary

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.

Affected Software

VendorProductVersion RangeStatus
MessagePack-CSharpMessagePack-CSharp>= 3.0, < 3.1.7affected
MessagePack-CSharpMessagePack-CSharp< 2.5.301affected

Weaknesses

  • CWE-409: CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
  • CWE-770: CWE-770: Allocation of Resources Without Limits or Throttling

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References