CVE-2026-48109
Analyzed Analyzed - Analysis Complete

Out-of-Bounds Read in MessagePack for C# LZ4 Decompression

Vulnerability report for CVE-2026-48109, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the MessagePack for C# serializer, specifically in the optional LZ4 decompression path used by the Lz4Block and Lz4BlockArray compression modes. The issue arises because the decoder uses a deprecated fast-decompression algorithm that does not properly enforce source-length bounds. A remote attacker can craft a malicious MessagePack payload with manipulated LZ4 token and length fields, causing the decompression process to read beyond the intended buffer limits.

This out-of-bounds read can trigger an AccessViolationException, which leads to process termination and results in a denial of service. Additionally, under certain conditions, this vulnerability may allow limited unintended memory disclosure from the over-read data before the failure occurs.

The vulnerability is fixed in versions 2.5.301 and 3.1.7 of MessagePack for C#.

Impact Analysis

This vulnerability can impact you by causing denial of service in applications using affected versions of MessagePack for C#. When a maliciously crafted MessagePack payload is processed, it can cause the application to crash due to an AccessViolationException triggered by out-of-bounds reads during decompression.

In some cases, it may also lead to limited unintended memory disclosure, potentially exposing sensitive data from the application's memory before the failure occurs.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or later, or 3.1.7 or later, where the issue has been fixed.

Compliance Impact

This vulnerability can cause limited unintended memory disclosure from over-read data before failure, which may lead to exposure of sensitive information.

Such unintended memory disclosure could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding of personal and sensitive data.

Additionally, the denial of service caused by process termination could affect system availability, which is also a consideration under these standards.

Detection Guidance

This vulnerability affects MessagePack for C# versions prior to 2.5.301 and 3.1.7 when using the LZ4 decompression path in Lz4Block and Lz4BlockArray compression modes. Detection involves identifying if your system is running an affected version of MessagePack-CSharp and if it processes untrusted MessagePack payloads with LZ4 compression enabled.

Since the vulnerability is triggered by crafted MessagePack payloads causing out-of-bounds reads during decompression, monitoring for AccessViolationException crashes or process terminations related to MessagePack deserialization can be an indicator.

There are no specific commands provided in the available resources to detect exploitation attempts or vulnerable versions directly. However, you can check the installed MessagePack-CSharp package version using package management commands, for example:

  • For .NET projects using NuGet: `dotnet list package | findstr MessagePack`
  • For projects using the NuGet CLI: `nuget list MessagePack`

To detect suspicious network activity, you could monitor for unusual or malformed MessagePack payloads, but no specific signature or command is provided.

Workarounds include disabling LZ4 compression for untrusted input or isolating deserialization in a separate process, which can help mitigate risk while detection capabilities are limited.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart