CVE-2026-48506
Received Received - Intake
Stack Overflow in MessagePack for C#

Publication date: 2026-06-22

Last updated on: 2026-06-22

Assigner: GitHub, Inc.

Description
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-22
Last Modified
2026-06-22
Generated
2026-06-23
AI Q&A
2026-06-23
EPSS Evaluated
N/A
NVD
CVE-2026-48506
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
neuecc messagepack_for_csharp 2.5.301
neuecc messagepack_for_csharp 3.1.7
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in MessagePack for C# versions prior to 2.5.301 and 3.1.7, specifically in the MessagePackReader.TrySkip() method. This method recursively processes nested arrays and maps without properly incrementing the reader depth or enforcing the configured depth checks.

Because of this, the protection mechanism called MessagePackSecurity.MaximumObjectGraphDepth, which is designed to prevent excessively deep object graphs, can be bypassed.

Many formatters call reader.Skip() to ignore unknown or irrelevant data for forward compatibility. If deeply nested values exist in these skipped positions, it can cause unbounded recursion leading to an uncatchable StackOverflowException.

This issue was fixed in versions 2.5.301 and 3.1.7.

Impact Analysis

This vulnerability can cause an application using affected versions of MessagePack for C# to crash due to an uncatchable StackOverflowException.

Such crashes can lead to denial of service (DoS), where the application becomes unavailable or unstable.

Since the vulnerability does not affect confidentiality or integrity, the primary impact is availability disruption.

Mitigation Strategies

To mitigate this vulnerability, you should upgrade MessagePack for C# to version 2.5.301 or 3.1.7 or later, where the issue with MessagePackReader.TrySkip() has been fixed.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48506. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart