CVE-2026-48515
Analyzed Analyzed - Analysis Complete

Memory Corruption in MessagePack for C#

Vulnerability report for CVE-2026-48515, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-22

Last updated on: 2026-06-25

Assigner: GitHub, Inc.

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-22
Last Modified
2026-06-25
Generated
2026-07-13
AI Q&A
2026-06-23
EPSS Evaluated
2026-07-11
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
messagepack messagepack to 2.5.301 (exc)
messagepack messagepack From 3.0.3 (inc) to 3.1.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in MessagePack for C#, specifically in its multi-dimensional array formatters prior to versions 2.5.301 and 3.1.7. The formatter reads dimension lengths directly from the payload and allocates multi-dimensional arrays (such as T[,], T[,,], or T[,,,]) before verifying that the total number of elements matches the encoded element count. Because the allocation happens before validation, an attacker can craft a small payload that declares very large dimensions but provides only a tiny or empty inner array. This causes the program to allocate a large amount of heap memory unnecessarily, potentially leading to resource exhaustion.

Impact Analysis

The vulnerability can lead to excessive memory allocation on the heap, which may cause a denial of service (DoS) condition by exhausting system memory resources. This can degrade system performance or cause the application to crash, impacting availability.

Mitigation Strategies

To mitigate this vulnerability, update MessagePack for C# to version 2.5.301 or 3.1.7 or later, where the issue has been fixed.

Compliance Impact

This vulnerability primarily impacts system availability by causing excessive memory allocation, which can lead to out-of-memory exceptions and system crashes. It does not directly involve unauthorized access to or disclosure of personal or sensitive data.

Therefore, while it may affect the reliability and availability of systems processing untrusted MessagePack payloads, there is no explicit indication that it compromises compliance with data protection standards such as GDPR or HIPAA, which focus on confidentiality, integrity, and privacy of personal data.

However, if system availability is critical to compliance requirements, organizations should consider the risk of denial-of-service conditions caused by this vulnerability and apply patches or mitigations accordingly.

Detection Guidance

This vulnerability can be detected by monitoring for unusual memory allocation patterns or out-of-memory exceptions in applications using MessagePack-CSharp to deserialize multi-dimensional arrays from untrusted payloads.

Specifically, detection involves identifying if the application is deserializing MessagePack payloads containing multi-dimensional arrays (T[,], T[,,], T[,,,]) where the dimension lengths declared in the payload do not match the actual element count, leading to excessive memory allocation.

Since the vulnerability is triggered by network-based payloads, network monitoring tools can be used to capture and analyze MessagePack payloads for suspicious dimension values.

Suggested commands or approaches include:

  • Use application logs or monitoring tools to detect out-of-memory exceptions or crashes related to MessagePack deserialization.
  • Capture network traffic on ports used by the vulnerable application and analyze MessagePack payloads for unusually large dimension values in multi-dimensional arrays.
  • If you have access to the application source or runtime, add instrumentation or debugging to log the dimensions and element counts during deserialization in TwoDimensionalArrayFormatter<T>.Deserialize, ThreeDimensionalArrayFormatter<T>.Deserialize, and FourDimensionalArrayFormatter<T>.Deserialize.
  • Use memory profiling tools to monitor heap allocations and CPU usage spikes that may indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48515. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart