CVE-2026-48510
MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.
| CWE | CWE-409 CWE-770 |
| Vendor | messagepack-csharp |
| Product | messagepack-csharp |
| Published | Jun 22, 2026 |
Stay Ahead of the Next One
Get instant alerts for messagepack-csharp messagepack-csharp
Be the first to know when new unknown vulnerabilities affecting messagepack-csharp messagepack-csharp are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
MessagePack-CSharp / MessagePack-CSharp
>= 3.1.7, < 3.1.7 < 2.5.301