CVE-2026-48109
Received Received - Intake
Out-of-Bounds Read in MessagePack for C# LZ4 Decompression

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48109
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
neuecc messagepack_for_csharp to 2.5.301|end_excluding=3.1.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the MessagePack for C# serializer, specifically in the optional LZ4 decompression path used by the Lz4Block and Lz4BlockArray compression modes. The issue arises because the decoder uses a deprecated fast-decompression algorithm that does not properly enforce source-length bounds. A remote attacker can craft a malicious MessagePack payload with manipulated LZ4 token and length fields, causing the decompression process to read beyond the intended buffer limits.

This out-of-bounds read can trigger an AccessViolationException, which leads to process termination and results in a denial of service. Additionally, under certain conditions, this vulnerability may allow limited unintended memory disclosure from the over-read data before the failure occurs.

The vulnerability is fixed in versions 2.5.301 and 3.1.7 of MessagePack for C#.

Impact Analysis

This vulnerability can impact you by causing denial of service in applications using affected versions of MessagePack for C#. When a maliciously crafted MessagePack payload is processed, it can cause the application to crash due to an AccessViolationException triggered by out-of-bounds reads during decompression.

In some cases, it may also lead to limited unintended memory disclosure, potentially exposing sensitive data from the application's memory before the failure occurs.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or later, or 3.1.7 or later, where the issue has been fixed.

Compliance Impact

This vulnerability can cause limited unintended memory disclosure from over-read data before failure, which may lead to exposure of sensitive information.

Such unintended memory disclosure could potentially impact compliance with data protection regulations like GDPR and HIPAA, which require safeguarding of personal and sensitive data.

Additionally, the denial of service caused by process termination could affect system availability, which is also a consideration under these standards.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48109. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart