CVE-2026-48510
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
MessagePack for C# has a vulnerability that allows improper memory allocations during the decompression of Lz4Block or Lz4BlockArray data. Prior to versions 2.5.301 and 3.1.7, the validity of compressed data was not checked before allocating output buffers.
Risk Assessment
This vulnerability may lead to Denial of Service (DoS) attacks through excessive memory consumption, potentially affecting application availability.
Recommendation
It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability and secure the application against potential attacks.
Original NVD description (English source)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.

