Skip to main content

MessagePack for C# CVE-2026-48506

| EUVD-2026-38388 HIGH
Uncontrolled Recursion (CWE-674)
2026-06-22 GitHub_M
Buffer Overflow Messagepack Csharp
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Remote unauthenticated payload to any MessagePack deserializer with no UI; impact is pure availability via uncatchable StackOverflowException, so C:N/I:N/A:H.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:19 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash applications by sending deeply nested MessagePack payloads that trigger uncatchable StackOverflowException via MessagePackReader.TrySkip(). The flaw bypasses the library's own MaximumObjectGraphDepth safeguard because TrySkip() recurses into nested structures without incrementing the depth counter, making any application that deserializes untrusted MessagePack data exploitable. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify endpoint deserializing MessagePack
Delivery
Craft payload with deeply nested skipped field
Exploit
Send payload over network
Install
Formatter invokes reader.Skip()
C2
TrySkip() recurses past depth guard
Execute
StackOverflowException terminates process
Impact
Service denial of availability
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The target application must use MessagePack for C# at a version below 2.5.301 or 3.1.7 and must deserialize MessagePack data originating from an untrusted source. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (7.5 High) is consistent with the description: a single crafted MessagePack blob delivered over any input channel kills the receiving process with no authentication or user interaction. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a single MessagePack-encoded payload containing a deeply nested array or map at any position the server will skip - an unknown field, an ignored member, or a forward-compatibility tail - to any endpoint that deserializes MessagePack from untrusted input, such as a gRPC-like RPC server, a cache layer, or a Unity game backend. When the generated formatter invokes reader.Skip() on the nested value, recursion blows the managed stack and raises an uncatchable StackOverflowException that terminates the host process, achieving denial of service with no authentication, no user interaction, and a minimal payload.
Remediation Vendor-released patch: upgrade to MessagePack for C# 2.5.301 (2.x branch) or 3.1.7 (3.x branch) as documented in advisory GHSA-vh6j-jc39-fggf at https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-vh6j-jc39-fggf. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all applications using MessagePack for C# and identify their current versions; assess exposure by determining which applications process untrusted external MessagePack data. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48502 HIGH
8.2 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
CVE-2026-48509 MEDIUM
6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
CVE-2026-48510 MEDIUM
6.3 Jun 22

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
CVE-2026-48511 MEDIUM
6.3 Jun 22

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat
CVE-2026-48512 MEDIUM
6.3 Jun 22

Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host proces

Share

CVE-2026-48506 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy