CVE Catalog

CVE-2026-48510

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.24%

14th percentile - higher than 14% of all known CVEs

Summary

MessagePack for C# has a vulnerability that allows improper memory allocations during the decompression of Lz4Block or Lz4BlockArray data. Prior to versions 2.5.301 and 3.1.7, the validity of compressed data was not checked before allocating output buffers.

Risk Assessment

This vulnerability may lead to Denial of Service (DoS) attacks through excessive memory consumption, potentially affecting application availability.

Recommendation

It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability and secure the application against potential attacks.

Original NVD description (English source)

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS