Skip to main content

MessagePack-CSharp CVE-2026-48516

| EUVD-2026-38380 MEDIUM
Inefficient Algorithmic Complexity (CWE-407)
2026-06-22 GitHub_M
Denial Of Service Messagepack Csharp
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable deserialization endpoint drives AV:N; crafting valid hash-collision key sets requires non-trivial effort (AC:H); no credentials needed (PR:N); impact is bounded to partial CPU exhaustion without confidentiality or integrity consequences (A:L, C:N, I:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:24 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

CPU denial of service in MessagePack for C# affects applications deserializing ILookup<TKey,TElement> types from untrusted input, exploitable even when the application has explicitly configured MessagePack's untrusted-data security posture. The InterfaceLookupFormatter constructs its internal dictionary with the default equality comparer rather than the security-aware, randomization-backed comparer provided by options.Security.GetEqualityComparer<TKey>(), silently bypassing the protection the developer believed was active. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-accessible MessagePack endpoint
Delivery
Craft ILookup payload with colliding TKey hash values
Exploit
Submit payload to trigger InterfaceLookupFormatter
Execution
Default comparer accepts all colliding keys
Persist
O(n²) dictionary insertions exhaust CPU
Impact
Service availability degraded or denied
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Three concrete conditions must hold simultaneously: (1) The application uses MessagePack for C# on a version prior to 2.5.301 (2.x) or 3.1.7 (3.x). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 score of 6.3 with AC:H and AT:P accurately reflects that crafting effective hash-collision payloads is non-trivial and requires attack-specific conditions. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted MessagePack binary payload to a network-accessible endpoint - such as an API or game server - that deserializes ILookup<TKey,TElement> values from client-supplied data. The keys in the payload are engineered to share the same hash code under the default .NET equality comparer, causing the internal dictionary built by InterfaceLookupFormatter to degrade to O(n²) behavior regardless of the application's configured security posture. …
Remediation Upgrade MessagePack for C# to version 2.5.301 (for 2.x consumers) or 3.1.7 (for 3.x consumers); these are the confirmed patched releases per the vendor advisory at https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48502 HIGH
8.2 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
CVE-2026-48506 HIGH
7.5 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
CVE-2026-48509 MEDIUM
6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
CVE-2026-48510 MEDIUM
6.3 Jun 22

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
CVE-2026-48511 MEDIUM
6.3 Jun 22

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat

Share

CVE-2026-48516 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy