MessagePack Serializer for C# Vulnerability Exposes Applications to Resource Allocation Issues
CVE-2026-48510

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48510?

MessagePack for C# is a serializer that may allow an attacker to exploit improper handling of payload sizes during the decompression of Lz4Block or Lz4BlockArray inputs. Before versions 2.5.301 and 3.1.7, it inaccurately reads uncompressed lengths from the data stream, leading to the possibility of allocating excessive resources based on misleading length declarations. This issue opens up potential denial of service risks and undue resource consumption as the application attempts to decode what may be deceptively small payloads claiming larger uncompressed sizes.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48510 Data

JSON