CVE-2026-48510 | MessagePack for C# is a MessagePack serializer for C#. Prior… | CVSS 6.3 MEDIUM

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.

Metadata

CVE ID: CVE-2026-48510
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-21 16:18 UTC
Published: 2026-06-22 21:16 UTC
Last updated: 2026-06-22 21:16 UTC
Primary CWE: CWE-409
CWE-409: Improper Handling of Highly Compressed Data (Data A…
Vendor / Product: MessagePack-CSharp / MessagePack-CSharp
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
MessagePack-CSharp	MessagePack-CSharp	—	>= 3.1.7, < 3.1.7, < 2.5.301

Weakness (CWE)

CWE	Source	Description
CWE-409	cna	CWE-409: Improper Handling of Highly Compressed Data (Data Amplification)
CWE-770	cna	CWE-770: Allocation of Resources Without Limits or Throttling

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (1)

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-v72x-2h86-7f8m https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-v72x-2h86-7f8m