CVE-2026-48516
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk14th percentile - higher than 14% of all known CVEs
Summary
The MessagePack library for C# has a vulnerability related to the construction of an internal dictionary with the default equality comparer. Versions prior to 2.5.301 and 3.1.7 are susceptible to denial of service attacks using hash collisions.
Risk Assessment
Organizations may experience denial of service attacks that can lead to significant downtime for applications, even if untrusted data security measures are in place.
Recommendation
It is recommended to upgrade to versions 2.5.301 or 3.1.7 to mitigate this vulnerability and secure applications against potential attacks.
Original NVD description (English source)
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.

