CVE-2026-48109

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7.

CVSS v3 8.2 HIGH

8.2^/10

CVSS v3 : HIGH

Vector :

Exploitability : 3.9 / Impact : 4.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:messagepack:messagepack::::::c\#::*
	cpe:2.3:a:messagepack:messagepack::::::c\#::*

History

23 Jun 2026, 17:25

Type	Values Removed	Values Added
References	~~() https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x -~~	() https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:messagepack:messagepack::::::c\#::*
First Time		Messagepack messagepack Messagepack

22 Jun 2026, 22:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-22 22:16

Updated : 2026-06-23 17:25

NVD link : CVE-2026-48109

Mitre link : CVE-2026-48109

CVE.ORG link : CVE-2026-48109

JSON object : View

Products Affected

messagepack

messagepack

CWE

CWE-20

Improper Input Validation

{"id": "CVE-2026-48109", "cveTags": [], "metrics": {"ssvcV203": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "ssvcData": {"id": "CVE-2026-48109", "role": "CISA Coordinator", "options": [{"exploitation": "none"}, {"automatable": "yes"}, {"technicalImpact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-23T12:14:22.316983Z"}}], "cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}, "impactScore": 4.2, "exploitabilityScore": 3.9}]}, "affected": [{"source": "security-advisories@github.com", "affectedData": [{"vendor": "MessagePack-CSharp", "product": "MessagePack-CSharp", "versions": [{"status": "affected", "version": ">= 3.1.7, < 3.1.7"}, {"status": "affected", "version": "< 2.5.301"}]}]}], "published": "2026-06-22T22:16:46.617", "references": [{"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-hv8m-jj95-wg3x", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}], "descriptions": [{"lang": "en", "value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes Lz4Block and Lz4BlockArray. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an AccessViolationException during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This vulnerability is fixed in 2.5.301 and 3.1.7."}], "lastModified": "2026-06-23T17:25:43.420", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "vulnerable": true, "matchCriteriaId": "1B965ABC-EE02-45D7-895A-E05EE88CF67B", "versionEndExcluding": "2.5.301"}, {"criteria": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*", "vulnerable": true, "matchCriteriaId": "FD170D86-D657-4F8D-99BF-9624CDC0287A", "versionEndExcluding": "3.1.7", "versionStartIncluding": "3.0.3"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}