Denial of Service Vulnerability in MessagePack for C# by MessagePack
CVE-2026-48516

6.3MEDIUM

Key Information:

Vendor: Messagepack-csharp
Status: Messagepack-csharp
Vendor: CVE Published:; 22 June 2026

🔔 Create Messagepack-csharp Vulnerability Alert

What is CVE-2026-48516?

The MessagePack for C# serializer, prior to designated versions, contains a vulnerability where the InterfaceLookupFormatter<TKey,TElement> utilizes an internal Dictionary<TKey, IGrouping<TKey,TElement>> with a default equality comparer rather than an appropriate security-aware comparer. This oversight leads to a hash-collision Denial of Service (DoS) on ILookup<TKey,TElement>, persisting even if the application has adopted the untrusted-data security configuration. The issue has been addressed in versions 2.5.301 and 3.1.7.

Affected Version(s)

MessagePack-CSharp >= 3.1.7, < 3.1.7 < 3.1.7, 3.1.7

MessagePack-CSharp < 2.5.301 < 2.5.301

References

https://github.com/MessagePack-CSharp/MessagePack-CSharp/...

x_refsource_CONFIRM

CVSS V4

Score:

6.3

Severity:

MEDIUM

Confidentiality:

None

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 22, 2026
Vulnerability Reserved
May 21, 2026

CVE-2026-48516 Data

JSON