CVE-2026-48506

Source
https://cve.org/CVERecord?id=CVE-2026-48506
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48506.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-48506
Aliases
Downstream
Published
2026-06-22T21:17:35.305Z
Modified
2026-07-15T01:48:52.813959211Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
MessagePack-CSharp: MessagePackReader.Skip can recurse without enforcing maximum object graph depth
Details

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.TrySkip() recursively descends into nested arrays and maps without incrementing the reader depth or calling the configured depth checks. This bypasses MessagePackSecurity.MaximumObjectGraphDepth, the library's documented protection against deeply nested object graphs. Many generated and dynamic formatters call reader.Skip() when they encounter unknown map keys, unknown array members, ignored fields, or data that should be skipped for forward compatibility. A deeply nested value in one of these skipped positions can therefore cause unbounded recursion and an uncatchable StackOverflowException. This vulnerability is fixed in 2.5.301 and 3.1.7.

Database specific
{
    "cwe_ids": [
        "CWE-674"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/48xxx/CVE-2026-48506.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/messagepack-csharp/messagepack-csharp

Affected ranges

Type
GIT
Repo
https://github.com/messagepack-csharp/messagepack-csharp
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Introduced
Fixed
Database specific
{
    "cpe": "cpe:2.3:a:messagepack:messagepack:*:*:*:*:*:c\\#:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.301"
        },
        {
            "introduced": "3.0.3"
        },
        {
            "fixed": "3.1.7"
        }
    ],
    "source": "CPE_RANGE"
}

Affected versions

0.*
0.1.0-beta
0.2.0-beta
1.*
1.0.1
v1.*
v1.0.2
v1.0.3
v1.1.1
v1.1.2
v1.2.0
v1.2.1
v1.2.3
v1.3.0
v1.3.1
v1.3.2
v1.3.3
v1.4.0
v1.4.1
v1.4.2
v1.4.4
v1.5.0
v1.5.1
v1.6.0
v1.6.1
v1.6.1.2
v1.6.2
v1.7.0
v1.7.2
v1.7.3
v1.7.3.1
v1.7.3.2
v1.7.3.3
v1.7.3.4
v2.*
v2.0.110-alpha
v2.0.119-beta
v2.0.123-beta
v2.0.204-beta
v2.0.270-rc
v2.0.94-alpha
v2.1.115
v2.1.143
v2.1.152
v2.1.165
v2.1.194
v2.1.80
v2.1.90
v2.2.113
v2.2.60
v2.2.85
v2.3.75
v2.3.85
v2.4.23-alpha
v2.4.35
v2.4.59
v2.5.103
v2.5.108
v2.5.124
v2.5.129
v2.5.140
v2.5.168
v2.5.171
v2.5.172
v2.5.187
v2.5.192
v2.5.198
v2.5.94
v3.*
v3.0.3
v3.0.300
v3.0.301
v3.1.0
v3.1.1
v3.1.2
v3.1.3
v3.1.4
v3.1.5
v3.1.6

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-48506.json"