High severity7.5NVD Advisory· Published May 14, 2026· Updated May 14, 2026
CVE-2026-44375
CVE-2026-44375
Description
Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Nerdbank.MessagePackNuGet | < 1.1.62 | 1.1.62 |
Affected products
1Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-2cwq-pwfr-wcw3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-44375ghsaADVISORY
- github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30nvdWEB
- github.com/AArnott/Nerdbank.MessagePack/pull/941nvdWEB
- github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62nvdWEB
- github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3nvdWEB
- github.com/msgpack/msgpack/blob/master/spec.mdghsaWEB
News mentions
0No linked articles in our index yet.