CVE-2026-48506
Analyzed Analyzed - Analysis Complete

Stack Overflow in MessagePack for C#

Vulnerability report for CVE-2026-48506, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-23

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-23
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability causes an uncatchable StackOverflowException leading to a denial-of-service condition by terminating the process when deserializing untrusted data. This disruption of service availability could impact compliance with standards and regulations that require maintaining system availability and reliability, such as GDPR and HIPAA.

However, there is no direct information provided about data confidentiality or integrity breaches, so the impact on compliance is primarily related to availability concerns.

Impact Analysis

This vulnerability can cause an application using affected versions of MessagePack for C# to crash due to an uncatchable StackOverflowException.

Such crashes can lead to denial of service (DoS), where the application becomes unavailable or unstable.

Since the vulnerability does not affect confidentiality or integrity, the primary impact is availability disruption.

Executive Summary

The vulnerability exists in MessagePack for C# versions prior to 2.5.301 and 3.1.7, specifically in the MessagePackReader.TrySkip() method. This method recursively processes nested arrays and maps without properly incrementing the reader depth or enforcing the configured depth checks.

Because of this, the protection mechanism called MessagePackSecurity.MaximumObjectGraphDepth, which is designed to prevent excessively deep object graphs, can be bypassed.

Many formatters call reader.Skip() to ignore unknown or irrelevant data for forward compatibility. If deeply nested values exist in these skipped positions, it can cause unbounded recursion leading to an uncatchable StackOverflowException.

This issue was fixed in versions 2.5.301 and 3.1.7.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade MessagePack for C# to version 2.5.301 or 3.1.7 or later, where the issue with MessagePackReader.TrySkip() has been fixed.

Detection Guidance

This vulnerability occurs when the MessagePack-CSharp library processes deeply nested MessagePack payloads, leading to an uncatchable StackOverflowException. Detection involves identifying if your application uses affected versions of the MessagePack-CSharp library (prior to 2.5.301 and 3.1.7) and whether it deserializes untrusted data that may contain deeply nested arrays or maps.

Since the issue manifests as a StackOverflowException during deserialization, monitoring application logs for such exceptions or unexpected crashes can help detect exploitation attempts.

There are no specific commands provided to detect this vulnerability directly on the network or system. However, you can check the installed version of the MessagePack-CSharp library in your application dependencies to determine if it is vulnerable.

  • For .NET projects, use the following command to check the installed MessagePack package version: `dotnet list package | findstr MessagePack`
  • Alternatively, inspect your project files (e.g., .csproj) or package manager files to verify the MessagePack-CSharp version.

To detect potential exploitation, monitor for application crashes or StackOverflowExceptions related to MessagePack deserialization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart