Skip to main content

MessagePack-CSharp EUVD-2026-38381

| CVE-2026-48515 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-22 GitHub_M
Denial Of Service Messagepack Csharp
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable unauthenticated path but requires specific multi-dimensional array schema (AC:H); pure heap-exhaustion availability impact, no confidentiality or integrity effect.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:25 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

Heap exhaustion via crafted multi-dimensional array payloads in MessagePack-CSharp affects all v2.x releases before 2.5.301 and all v3.x releases before 3.1.7, enabling remote unauthenticated attackers to trigger disproportionately large heap allocations with minimal payload bytes. The multi-dimensional array formatters (T[,], T[,,], T[,,,]) allocate based on attacker-supplied dimension values before cross-validating against the encoded element count, so a payload declaring a 10000×10000 array with only a handful of elements forces a massive allocation before any guard fires. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Send crafted MessagePack payload to public endpoint
Delivery
Invoke multi-dimensional array formatter with attacker-controlled dimensions
Exploit
CLR allocates oversized heap block before element validation
Execution
Repeat to accumulate heap pressure
Persist
Exhaust managed memory
Impact
Cause service degradation or crash
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable application must be deserializing MessagePack payloads received from an untrusted source, AND the deserialized object graph must include at least one field or property typed as a multi-dimensional array (T[,], T[,,], or T[,,,]). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VA:L/SC:N/SI:N/SA:N) signals a network-reachable, unauthenticated path with a Low availability impact, but AC:H and AT:P together indicate meaningful preconditions must be satisfied before exploitation is possible. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted MessagePack-encoded message to a publicly reachable API endpoint that deserializes a type containing a two-dimensional array field. The payload encodes dimension sizes of, for example, 50,000×50,000 integers but provides only a few actual elements, causing the server process to allocate roughly 10 GB of managed heap before the element-count guard fires and the allocation is discarded. …
Remediation Upgrade to MessagePack-CSharp 2.5.301 (v2 branch) or 3.1.7 (v3 branch), both of which correct the allocation-before-validation ordering in the multi-dimensional array formatters; the vendor advisory is at https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-cxmj-83gh-fp49. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48502 HIGH
8.2 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
CVE-2026-48506 HIGH
7.5 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
CVE-2026-48509 MEDIUM
6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
CVE-2026-48510 MEDIUM
6.3 Jun 22

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
CVE-2026-48511 MEDIUM
6.3 Jun 22

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat

Share

EUVD-2026-38381 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy