LZ4 Decompression Vulnerability in MessagePack for C# by MessagePack-CSharp
CVE-2026-48109

8.2HIGH

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48109?

A vulnerability exists in the LZ4 decompression method of MessagePack for C#, specifically in versions earlier than 2.5.301 and 3.1.7. The issue arises from the use of a deprecated fast-decompression algorithm, lacking a source-length boundary check. An attacker can exploit this by sending a specially crafted MessagePack payload containing manipulated LZ4 token/length fields, which may result in out-of-bounds reads from the compressed input buffer. This can cause an AccessViolationException during the decompression process, leading to potential process termination and denial of service. In some scenarios, this vulnerability might also lead to limited unintended memory disclosure before the failure occurs. It is crucial for users operating affected versions to upgrade to the patched versions to mitigate these risks.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 20, 2026

CVE-2026-48109 Data

JSON