MessagePack C#: Ten Vulnerabilities Disclosed Together, Affecting Deserialization and Security
Ten vulnerabilities in MessagePack C# disclosed on June 22, 2026, pose risks including DoS, memory exhaustion, and security bypasses.

Key findings
- Ten vulnerabilities disclosed in MessagePack C# on June 22, 2026.
- Issues include denial-of-service via excessive memory allocation and CPU exhaustion.
- Security bypasses found in depth enforcement, type restrictions, and comparer settings.
- ASP.NET Core input formatter defaults to
TrustedDatawithout explicit configuration. - All vulnerabilities addressed in versions 2.5.301 and 3.1.7.
On June 22, 2026, a batch of ten vulnerabilities was disclosed in MessagePack C#, a popular MessagePack serializer for C#. These vulnerabilities, disclosed on the same day, span various components of the library and could lead to denial of service, unexpected behavior, and potential security bypasses if not properly handled. The disclosures highlight issues in deserialization, data parsing, and formatting functions, with many affecting versions prior to 2.5.301 and 3.1.7.
Several vulnerabilities stem from improper handling of attacker-controlled lengths and data, potentially leading to excessive memory allocation or CPU exhaustion. CVE-2026-48502 describes how MessagePackReader.ReadDateTime() can allocate excessive stack memory based on an attacker-controlled extension length, potentially leading to stack overflows. Similarly, CVE-2026-48506 points out that MessagePackReader.TrySkip() can recurse without enforcing maximum object graph depth, bypassing security settings. CVE-2026-48510 details how LZ4 decompression allocates buffers based on unbounded declared output lengths before validating the compressed data, opening the door for denial-of-service attacks. CVE-2026-48514 flags the UnsafeBlitFormatterBase<T>.Deserialize method for allocating unbounded byte lengths from extension payloads without proper validation. CVE-2026-48515 indicates that multi-dimensional array formatters allocate memory based on unchecked dimensions, which may not align with the encoded element count.
Other issues involve security bypasses and inefficient processing. CVE-2026-48509 highlights that the ASP.NET Core MessagePackInputFormatter defaults to TrustedData for HTTP request bodies when instantiated without parameters, which could lead to unintended data processing. CVE-2026-48511 reveals that the ExpandoObjectFormatter.Deserialize can perform quadratic insertion work on untrusted maps due to how System.Dynamic.ExpandoObject handles additions. CVE-2026-48512 notes that MessagePack C#'s JSON conversion APIs can recurse without consistent depth enforcement, potentially leading to denial-of-service. CVE-2026-48516 describes how the InterfaceLookupFormatter bypasses collision-resistant comparer settings by defaulting to a standard equality comparer instead of a security-aware one. Finally, CVE-2026-48517 points out that typeless deserialization type restrictions do not recursively check arrays or generic arguments, potentially allowing disallowed types to be deserialized.
All ten vulnerabilities were fixed in versions 2.5.301 and 3.1.7 of MessagePack C#. Users are strongly advised to update to these patched versions to mitigate the identified risks. The broad range of issues, from stack overflows to security bypasses, underscores the importance of keeping the MessagePack C# library updated, especially for applications handling untrusted or attacker-controlled data.
The timely disclosure of these ten vulnerabilities on a single day emphasizes the need for continuous monitoring and prompt patching of software components, particularly those involved in data serialization and deserialization, which are common attack vectors.
Key findings include:
- Ten vulnerabilities disclosed in MessagePack C# on June 22, 2026.
- Issues include denial-of-service via excessive memory allocation and CPU exhaustion.
- Security bypasses found in depth enforcement, type restrictions, and comparer settings.
- ASP.NET Core input formatter defaults to
TrustedDatawithout explicit configuration. - All vulnerabilities addressed in versions 2.5.301 and 3.1.7.