MessagePack Serializer for C# Vulnerability in UnsafeBlitFormatterBase
CVE-2026-48514

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48514?

The MessagePack for C# library, a widely used serializer in the C# ecosystem, contains a deserialization flaw in the UnsafeBlitFormatterBase class. Prior to versions 2.5.301 and 3.1.7, the library fails to properly validate the byte length retrieved from an attacker-controlled extension payload before allocating an array. As a result, a small payload could mislead the deserialization process to request a disproportionately large array allocation, leading to potential denial-of-service conditions or resource exhaustion. Users are advised to update to the latest versions to mitigate these risks.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48514 Data

JSON