Skip to main content

MessagePack-CSharp EUVD-2026-38382

| CVE-2026-48514 MEDIUM
Allocation of Resources Without Limits or Throttling (CWE-770)
2026-06-22 GitHub_M
Denial Of Service Messagepack Csharp
6.3
CVSS 4.0 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
6.3 MEDIUM
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
3.7 LOW

Network-reachable with no auth needed, but AC:H because only specific UnsafeBlitFormatter usage triggers it; impact is availability-only via memory exhaustion.

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
Patch available
Jun 22, 2026 - 23:02 EUVD
Analysis Generated
Jun 22, 2026 - 22:25 vuln.today

DescriptionCVE.org

MessagePack for C

is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation. This vulnerability is fixed in 2.5.301 and 3.1.7.

AnalysisAI

Unchecked large-array allocation in MessagePack for C# exposes any .NET application deserializing untrusted MessagePack extension payloads to a denial-of-service condition. The UnsafeBlitFormatterBase<T>.Deserialize method trusts an attacker-supplied byteLength field from the inner extension payload and allocates a T[] array of that size before comparing it against the outer extension header length or remaining input bytes, meaning a few-byte payload can trigger gigabyte-scale allocations. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach network-exposed MessagePack endpoint
Delivery
Craft extension payload with oversized byteLength field
Exploit
Submit payload to UnsafeBlitFormatterBase<T> deserializer
Execution
Trigger pre-validation T[] allocation from attacker-controlled size
Persist
Exhaust process or system memory
Impact
Cause denial of service
Sign in to reveal

Vulnerability AssessmentAI

Exploitation The vulnerable code path is only reached when the application explicitly uses UnsafeBlitFormatterBase<T> (or a formatter derived from it) to deserialize a MessagePack extension-type field - this is not triggered by standard primitive or POCO deserialization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The provided CVSS 4.0 vector (AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N) scores 6.3 (Medium). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker sends a crafted MessagePack extension payload to a network-accessible .NET service that deserializes untrusted data using UnsafeBlitFormatterBase<T>. The payload contains a very small outer extension body but embeds a byteLength value set to, for example, 500 MB; the deserializer allocates a T[] of that size before discovering there are only a few bytes of actual input, spiking process memory. …
Remediation The vendor-released patches are version 2.5.301 (for 2.x users) and version 3.1.7 (for 3.x users); upgrade to the appropriate patched release as the primary remediation. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

More from same product – last 7 days

CVE-2026-48502 HIGH
8.2 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to terminate host pr
CVE-2026-48506 HIGH
7.5 Jun 22

Denial of service in MessagePack for C# versions prior to 2.5.301 and 3.1.7 allows remote attackers to crash application
CVE-2026-48509 MEDIUM
6.3 Jun 22

Insecure default initialization in MessagePack for C#'s ASP.NET Core MVC formatter exposes .NET web applications to hash
CVE-2026-48510 MEDIUM
6.3 Jun 22

LZ4 decompression in MessagePack for C# prior to versions 2.5.301 (v2 branch) and 3.1.7 (v3 branch) allows remote attack
CVE-2026-48511 MEDIUM
6.3 Jun 22

Quadratic CPU and memory allocation behavior in MessagePack-CSharp's ExpandoObjectFormatter enables remote unauthenticat

Share

EUVD-2026-38382 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy