MessagePack for C# Vulnerability in JSON Conversion Components
CVE-2026-48512

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48512?

MessagePack for C#, a popular serializer for C#, has a vulnerability in its JSON conversion helpers that may allow attackers to exploit the system. This vulnerability arises from multiple recursion paths that do not enforce a depth limit effectively, particularly influenced by malformed JSON input. In the affected versions, the FromJsonCore() method can lead to stack exhaustion, resulting in a StackOverflowException when processing deeply nested JSON structures. The flaws in TinyJsonReader permit it to consume separator characters recursively. Even with depth checks in place for some functions, the lack of these checks in specific branches can lead to security concerns. The issue has been rectified in newer releases, ensuring enhanced robustness against such stack overflow attacks.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48512 Data

JSON