MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7.
Metrics
Affected Vendors & Products
No data.
No data.
No data.
No data.
References
History
Mon, 22 Jun 2026 22:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T[,], T[,,], or T[,,,] before validating that the dimension product matches the encoded element count. The formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated. This vulnerability is fixed in 2.5.301 and 3.1.7. | |
| Title | MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions | |
| Weaknesses | CWE-770 | |
| References |
| |
| Metrics |
cvssV4_0
|
MITRE
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-22T21:10:39.110Z
Reserved: 2026-05-21T16:18:10.618Z
Link: CVE-2026-48515
Vulnrichment
No data.
NVD
No data.
Redhat
No data.
OpenCVE Enrichment
No data.