Skip to main content

MessagePack-CSharp CVE-2026-48510

| EUVD-2026-38386 MEDIUM
Improper Handling of Highly Compressed Data (Data Amplification) (CWE-409)
2026-06-22 GitHub_M
Information Disclosure Messagepack Csharp
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network vector with high complexity because LZ4 compression must be enabled and attacker must reach the deserialization endpoint; availability-only low impact with no scope change.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:27 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attackers to force excessive heap memory allocations via crafted Lz4Block or Lz4BlockArray payloads that declare arbitrarily large uncompressed lengths. The library allocates an output buffer sized to the attacker-controlled wire-format length field before performing any validation of the compressed data or the reasonableness of the declared expansion, enabling a classic decompression-bomb denial-of-service. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target endpoint accepting LZ4-compressed MessagePack
Delivery
Craft Lz4Block payload with legitimate compressed data
Exploit
Inflate declared uncompressed length field to multi-gigabyte value
Install
Submit payload to endpoint
C2
Library allocates oversized buffer before validation
Execute
Repeat to exhaust heap memory
Impact
Service availability degraded or crashed
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires two simultaneous conditions: first, the target application must be using MessagePack-CSharp for deserialization with LZ4 compression enabled - specifically, it must be processing Lz4Block or Lz4BlockArray message types; applications using standard uncompressed MessagePack are not affected. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N) with a base score of 6.3 accurately captures the bounded but real risk. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting a public-facing .NET API that deserializes untrusted MessagePack input with LZ4 compression enabled sends a stream of small, crafted Lz4Block messages each asserting an uncompressed length of several gigabytes. The server pre-allocates oversized output buffers for each arriving message before decompression validation fails, progressively exhausting available heap memory and causing the service to degrade or crash. …
Remediation Upgrade to MessagePack-CSharp 2.5.301 (v2 branch) or 3.1.7 (v3 branch), the vendor-released patches confirmed by GitHub Security Advisory GHSA-v72x-2h86-7f8m, which add validation of declared uncompressed lengths prior to buffer allocation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48502 HIGH
8.2 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
CVE-2026-48506 HIGH
7.5 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
CVE-2026-48509 MEDIUM
6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
CVE-2026-48511 MEDIUM
6.3 Jun 22

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat
CVE-2026-48512 MEDIUM
6.3 Jun 22

Uncontrolled recursion in MessagePack-CSharp's JSON conversion helpers allows remote attackers to crash .NET host proces

Share

CVE-2026-48510 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy