Uncontrolled Stack Allocation Vulnerability in Nerdbank.MessagePack Library
CVE-2026-44375

7.5HIGH

Key Information:

Vendor

Aarnott

Status
Nerdbank.messagepack
Vendor
CVE Published:
14 May 2026

What is CVE-2026-44375?

The Nerdbank.MessagePack library, which is used for MessagePack serialization, contains an uncontrolled stack allocation vulnerability prior to version 1.1.62. This flaw arises in the DateTime decoding process, where a maliciously crafted MessagePack payload can specify an oversized timestamp extension length. This results in the reader allocating an unbounded number of bytes on the stack, potentially causing a StackOverflowException. This exception cannot be caught by user code, leading to an abrupt termination of the process and unexpected application behavior. To mitigate this issue, users are advised to upgrade to version 1.1.62 or later.

Affected Version(s)

Nerdbank.MessagePack < 1.1.62

References

https://github.com/AArnott/Nerdbank.MessagePack/security/...
x_refsource_CONFIRM
https://github.com/AArnott/Nerdbank.MessagePack/pull/941
x_refsource_MISC
https://github.com/AArnott/Nerdbank.MessagePack/commit/7d...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.