CVE-2026-44375
HIGHNerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
Title source: cnaDescription
Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.
References (4)
Core 4
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3
X_Refsource_Misc x_refsource_misc
https://github.com/AArnott/Nerdbank.MessagePack/pull/941
X_Refsource_Misc x_refsource_misc
https://github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30
X_Refsource_Misc x_refsource_misc
https://github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62
Scores
CVSS v3
7.5
EPSS
0.0006
EPSS Percentile
17.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-789
Status
published
Products (2)
AArnott/Nerdbank.MessagePack
< 1.1.62
nuget/Nerdbank.MessagePack
0 - 1.1.62NuGet
Published
May 14, 2026
Tracked Since
May 14, 2026