CVE-2026-48516 | MessagePack for C# is a MessagePack serializer for C#. Prior… | CVSS 6.3 MEDIUM

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.

Metadata

CVE ID: CVE-2026-48516
State: PUBLISHED
Assigner: GitHub_M
Reserved: 2026-05-21 16:18 UTC
Published: 2026-06-22 21:09 UTC
Last updated: 2026-06-22 21:09 UTC
Primary CWE: CWE-407
CWE-407: Inefficient Algorithmic Complexity
Vendor / Product: MessagePack-CSharp / MessagePack-CSharp
Sources: cve.org · NVD

Severity & Metrics

6.3 MEDIUM CVSS 4.0

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Affected products (1)

Vendor	Product	Platform	Versions
MessagePack-CSharp	MessagePack-CSharp	—	>= 3.1.7, < 3.1.7, < 2.5.301

Weakness (CWE)

CWE	Source	Description
CWE-407	cna	CWE-407: Inefficient Algorithmic Complexity

CVSS scores (1)

Score	Severity	Version	Source	Vector
6.3	MEDIUM	4.0	cna	CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (1)

https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8 https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-q2h6-ghwm-5qm8