CVE-2026-48502

HIGH

MessagePack-CSharp ReadDateTime - Stack Overflow Denial of Service

Title source: manual

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

References (1)

Core 1

Core References

X_Refsource_Confirm x_refsource_confirm

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-382j-8mxh-c7x2

Scores

CVSS v3 7.5

EPSS 0.0024

EPSS Percentile 15.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-1188 CWE-125 CWE-190 CWE-407 CWE-409 CWE-470 CWE-502 CWE-674 CWE-789

Status published

Products (3)

messagepack/messagepack < 2.5.301

MessagePack-CSharp/MessagePack-CSharp < 2.5.301

MessagePack-CSharp/MessagePack-CSharp >= 3.1.7, < 3.1.7

Published Jun 22, 2026

Tracked Since Jun 23, 2026