cvedb.io
CVE-2026-48502
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-06-22T22:16:47.147 · Last modified 2026-06-23T17:25:05.147

Summary

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

Affected products

messagepack — messagepack

Does this affect you?

Add your gear to cvedb and we'll alert you only when messagepack ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.