CVE-2026-48511
Analyzed Analyzed - Analysis Complete

Denial of Service in MessagePack for C#

Vulnerability report for CVE-2026-48511, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-12
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-407 An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

This vulnerability primarily impacts system availability by causing CPU exhaustion and excessive memory allocation, potentially making a server unresponsive or crashing under concurrent load.

While the CVE description and resources do not explicitly mention compliance with standards like GDPR or HIPAA, disruptions in system availability could indirectly affect compliance by impacting the availability and reliability of systems that handle sensitive data.

Mitigations such as upgrading to patched versions, avoiding deserialization of untrusted payloads into ExpandoObject, and enforcing request-size limits can help maintain system stability and thus support compliance efforts.

Executive Summary

This vulnerability exists in MessagePack for C#, specifically in versions prior to 2.5.301 and 3.1.7. The ExpandoObjectFormatter.Deserialize method populates a System.Dynamic.ExpandoObject by adding each map entry using IDictionary<string, object>.Add. Internally, ExpandoObject maintains member names in array-like structures, so inserting many distinct keys causes repeated linear scans and array copies. When processing large attacker-controlled maps, this results in quadratic CPU and memory allocation behavior, leading to performance degradation.

The issue is notable because even though ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, which uses collision-resistant dictionary comparers, these cannot protect against the internal insertion inefficiencies of ExpandoObject.

This vulnerability was fixed in versions 2.5.301 and 3.1.7 of MessagePack for C#.

Impact Analysis

This vulnerability can lead to significant performance degradation when deserializing large attacker-controlled maps using MessagePack for C#. The quadratic CPU and memory allocation behavior can cause excessive resource consumption, potentially leading to denial of service (DoS) conditions where the application becomes slow or unresponsive.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or later, or 3.1.7 or later, where the issue has been fixed.

Detection Guidance

This vulnerability can be detected by monitoring for unusually high CPU usage or memory allocation spikes during deserialization of MessagePack payloads, especially when processing large maps with many distinct keys into ExpandoObject.

Since the issue arises from deserializing attacker-controlled large maps, detection can involve inspecting network traffic for large MessagePack payloads containing many distinct keys.

Suggested commands include using network packet inspection tools like tcpdump or Wireshark to capture MessagePack traffic, and then analyzing payload sizes and map entry counts.

  • Use tcpdump to capture traffic on the relevant port: tcpdump -i <interface> port <port_number> -w capture.pcap
  • Analyze captured packets with Wireshark or a custom script to identify large MessagePack maps with many keys.
  • Monitor system CPU and memory usage with commands like top, htop, or Windows Task Manager during deserialization operations.
  • If you have access to application logs or telemetry, look for deserialization errors or performance degradation correlated with large or complex MessagePack payloads.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48511. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart