CVE-2026-44375
Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th
Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.
| CWE | CWE-789 |
| Vendor | aarnott |
| Product | nerdbank.messagepack |
| Published | May 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for aarnott nerdbank.messagepack
Be the first to know when new high vulnerabilities affecting aarnott nerdbank.messagepack are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High
Affected Versions
AArnott / Nerdbank.MessagePack
< 1.1.62
References
github.com: https://github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3 github.com: https://github.com/AArnott/Nerdbank.MessagePack/pull/941 github.com: https://github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30 github.com: https://github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62