Which versions of MessagePack for C# are affected by CVE-2026-48502?

MessagePack for C# versions prior to 2.5.301 and 3.1.7 contain a remote denial of service vulnerability that enables process termination.. A patch is available.

How to fix or mitigate CVE-2026-48502?

Within 24 hours: Inventory all MessagePack for C# deployments and identify affected versions. Within 7 days: Implement network access controls restricting untrusted sources to services using this library; disable MessagePack timestamp extensions if business logic permits. Within 30 days: Establish continuous monitoring of vendor advisories; prepare and stage upgrade packages; deploy patches immediately when released.

MessagePack for C# CVE-2026-48502

Q: What is the CVSS score of CVE-2026-48502?

CVE-2026-48502 has a CVSS 4.0 base score of 8.2 (High). CVSS vector: CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X.

EUVD-2026-38389 HIGH

Out-of-bounds Read (CWE-125)

2026-06-22 GitHub_M

Buffer Overflow Information Disclosure Messagepack Csharp

8.2

CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

8.2 HIGH

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

5.9 MEDIUM

Network-reachable unauthenticated DoS; AC:H because the consumer must invoke the timestamp slow path on attacker data; only availability impacted.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

High

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 22, 2026 - 23:02 EUVD

Analysis Generated

Jun 22, 2026 - 22:19 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host processes by sending a crafted MessagePack timestamp extension payload that triggers an uncatchable StackOverflowException. The flaw stems from a stackalloc operation using an attacker-controlled extension length before validation, enabling a tiny payload to claim a massive stack allocation. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify .NET service accepting MessagePack input

Delivery

Craft tiny timestamp extension with huge declared length

Exploit

Send payload to deserialization endpoint

Execution

Trigger oversized stackalloc in ReadDateTime

Persist

Exhaust thread stack

Impact

Uncatchable StackOverflowException terminates host process

Access

Identify .NET service accepting MessagePack input

Delivery

Craft tiny timestamp extension with huge declared length

Exploit

Send payload to deserialization endpoint

Execution

Trigger oversized stackalloc in ReadDateTime

Persist

Exhaust thread stack

Impact

Uncatchable StackOverflowException terminates host process

Vulnerability AssessmentAI

Exploitation	Exploitation requires that the target .NET application deserializes attacker-controlled MessagePack input using MessagePack-CSharp prior to 2.5.301 or 3.1.7, and that the deserialization path actually reaches the timestamp extension slow path inside MessagePackReader.ReadDateTime() - this typically means the application accepts MessagePack payloads with arbitrary extension types (rather than a strictly typed schema that excludes timestamps) or explicitly reads DateTime values. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment	The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N) indicates network-reachable, unauthenticated exploitation but with high attack complexity and a present attack requirement, suggesting non-trivial preconditions such as the application actually invoking ReadDateTime on attacker-controlled input. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker sends a single small MessagePack payload to a network-exposed .NET service (REST/gRPC/WebSocket/game server) that deserializes user-supplied data with MessagePack-CSharp, embedding a timestamp extension header that declares a huge body length but contains almost no data. When the service calls MessagePackReader.ReadDateTime(), the unvalidated length feeds into stackalloc, the thread stack is exhausted, and the host process terminates with an uncatchable StackOverflowException - a one-packet denial of service. …
Remediation	Vendor-released patch: upgrade to MessagePack-CSharp 2.5.301 (2.x users) or 3.1.7 (3.x users) as documented in advisory GHSA-382j-8mxh-c7x2 (https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all MessagePack for C# deployments and identify affected versions. …

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48506 HIGH This Week

7.5 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application

CVE-2026-48509 MEDIUM This Month

6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash

CVE-2026-48510 MEDIUM This Month

6.3 Jun 22

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack

CVE-2026-48511 MEDIUM This Month

6.3 Jun 22

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat

CVE-2026-48512 MEDIUM This Month

6.3 Jun 22

Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host proces

CVE-2026-48502 vulnerability details – vuln.today

Back

MessagePack for C# CVE-2026-48502

Severity by source

CVSS VectorVendor: GitHub_M

Lifecycle Timeline

DescriptionCVE.org

AnalysisAI

Unlock full vulnerability intelligence

Attack ChainAIDerived

Vulnerability AssessmentAI

Recommended ActionAI

More from same product – last 7 days

Share

External POC / Exploit Code