CVE-2026-48502
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk15th percentile - higher than 15% of all known CVEs
Summary
In the MessagePack library for C# prior to versions 2.5.301 and 3.1.7, the MessagePackReader.ReadDateTime() method can allocate stack memory based on an attacker-controlled extension length. In the slow path for timestamp extension parsing, the extension body length is not validated before memory allocation, potentially leading to a StackOverflowException.
Risk Assessment
An attacker could exploit this vulnerability to cause the host process to crash, leading to service availability disruptions. This poses a risk to the stability of applications using this library.
Recommendation
It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability. Additionally, a code audit should be conducted to ensure no similar issues exist.
Original NVD description (English source)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

