CVE Catalog

CVE-2026-48502

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.25%

15th percentile - higher than 15% of all known CVEs

Summary

In the MessagePack library for C# prior to versions 2.5.301 and 3.1.7, the MessagePackReader.ReadDateTime() method can allocate stack memory based on an attacker-controlled extension length. In the slow path for timestamp extension parsing, the extension body length is not validated before memory allocation, potentially leading to a StackOverflowException.

Risk Assessment

An attacker could exploit this vulnerability to cause the host process to crash, leading to service availability disruptions. This poses a risk to the stability of applications using this library.

Recommendation

It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability. Additionally, a code audit should be conducted to ensure no similar issues exist.

Original NVD description (English source)

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS