Stack Overflow Vulnerability in MessagePack for C# by MessagePack
CVE-2026-48502

8.2HIGH

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48502?

A vulnerability exists in the MessagePack for C# serializer, where the MessagePackReader.ReadDateTime() method can allocate excessive stack memory based on an attacker-controlled MessagePack extension length. This occurs specifically during the slow path for timestamp extension parsing. The vulnerability allows an attacker to craft a payload that requests a large timestamp extension body, which can lead to a stack allocation error, ultimately resulting in a StackOverflowException that crashes the host process. This issue has been remediated in versions 2.5.301 and 3.1.7.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

8.2

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48502 Data

JSON