CVE-2026-48502
Analyzed Analyzed - Analysis Complete

Stack Overflow in MessagePack for C#

Vulnerability report for CVE-2026-48502, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.
CWE-502 The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid.
CWE-409 The product does not handle or incorrectly handles a compressed input with a very high compression ratio that produces a large output.
CWE-789 The product allocates memory based on an untrusted, large size value, but it does not ensure that the size is within expected limits, allowing arbitrary amounts of memory to be allocated.
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.
CWE-125 The product reads data past the end, or before the beginning, of the intended buffer.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
CWE-190 The product performs a calculation that can produce an integer overflow or wraparound when the logic assumes that the resulting value will always be larger than the original value. This occurs when an integer value is incremented to a value that is too large to store in the associated representation. When this occurs, the value may become a very small or negative number.
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, specifically in the MessagePackReader.ReadDateTime() method prior to versions 2.5.301 and 3.1.7.

The issue arises because the method allocates stack memory based on an attacker-controlled extension length without validating it first. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the input data and is used in a stackalloc operation before confirming that the extension length is valid.

An attacker can craft a small payload that claims a very large timestamp extension body, causing a large stack allocation that triggers an uncatchable StackOverflowException, which terminates the host process.

This vulnerability has been fixed in versions 2.5.301 and 3.1.7 of MessagePack for C#.

Impact Analysis

This vulnerability can cause the host process using MessagePack for C# to terminate unexpectedly due to an uncatchable StackOverflowException.

An attacker can exploit this by sending a specially crafted MessagePack payload that triggers a large stack allocation, leading to a denial of service (DoS) condition.

Because the exception is uncatchable, the application cannot recover from this error, potentially causing service interruptions or crashes.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or 3.1.7 or later, where the issue has been fixed.

Compliance Impact

The vulnerability in MessagePack for C# can cause a denial of service by terminating the host process through an uncatchable StackOverflowException when deserializing untrusted payloads containing DateTime values.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the denial of service impact could affect availability requirements under these regulations.

Specifically, HIPAA and GDPR require ensuring the availability and integrity of systems processing sensitive data. A denial of service vulnerability could lead to non-compliance if it disrupts access to protected health information or personal data.

Mitigations such as patching to version 3.1.7 or avoiding deserialization of untrusted payloads can help maintain compliance by preventing service interruptions.

Detection Guidance

This vulnerability occurs when deserializing untrusted MessagePack payloads containing DateTime or DateTimeOffset values with an attacker-controlled extension length that causes a stack overflow. Detection involves monitoring for crashes or unexpected termination of applications using vulnerable versions of MessagePack-CSharp (versions prior to 2.5.301 and 3.1.7).

There are no specific commands provided in the available resources to detect this vulnerability directly on your network or system.

As a general approach, you can check the version of the MessagePack-CSharp library used in your applications to identify if they are vulnerable. For example, in a .NET project, you can run the following command to list package versions:

  • dotnet list package | findstr MessagePack

Additionally, monitoring application logs for StackOverflowException or unexpected process terminations related to MessagePack deserialization may help detect exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48502. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart