Performance Degradation in MessagePack for C# by Affected Vendor
CVE-2026-48511

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48511?

The MessagePack for C# serializer experiences a vulnerability in its ExpandoObjectFormatter.Deserialize function. In versions prior to 2.5.301 and 3.1.7, this function can lead to significant performance degradation when processing large, attacker-controlled maps. Specifically, the method utilizes IDictionary<string, object>.Add, which may trigger repeated linear scans and array copies due to the internal structure of ExpandoObject. This behavior impacts CPU and memory allocation severely, causing potential denial-of-service scenarios. This issue is particularly insidious because even with MessagePackSecurity's untrusted data settings, the dictionary's collision-resistant comparers cannot mitigate the inefficiencies of the ExpandoObject’s insertion mechanisms. The vulnerability has been addressed in subsequent releases.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48511 Data

JSON