cvedb.io
CVE-2026-48515
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2026-06-22T22:16:48.360 · Last modified 2026-06-25T17:16:39.437

Summary

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.

Affected products

messagepack — messagepack

Does this affect you?

Add your gear to cvedb and we'll alert you only when messagepack ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.