MessagePack for C# Vulnerability in Multi-Dimensional Array Formatters
CVE-2026-48515

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48515?

MessagePack for C# contains a vulnerability related to how multi-dimensional array formatters handle dimension lengths from the payload. The affected versions allocate large multi-dimensional arrays based on declared dimensions without first validating these dimensions against the actual encoded element count. This oversight can lead to excessive heap allocations when a small payload specifies large dimensions, potentially impacting application performance and security. The issue has been addressed in versions 2.5.301 and 3.1.7.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48515 Data

JSON