MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths

6.3 / 10

MEDIUM

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.

Basic Information

ID CVE-2026-48510

Source GitHub_M

Published Jun 22, 2026 at 21:16

Affected Product

Vendor MessagePack-CSharp

Product MessagePack-CSharp

Version >= 3.1.7, < 3.1.7

Affected Versions MessagePack-CSharp MessagePack-CSharp >= 3.1.7, < 3.1.7
MessagePack-CSharp MessagePack-CSharp < 2.5.301

CWE Classification

CWE-409 CWE-770

References

github.com /MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-v72x-2h86-7f8m

{
    "lastseen": "",
    "description": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, when MessagePack-CSharp decompresses Lz4Block or Lz4BlockArray payloads, it reads declared uncompressed lengths from the wire and allocates output buffers based on those lengths before validating that the compressed data is valid or that the declared expansion is reasonable. A small payload can claim a very large uncompressed length and force a large allocation before LZ4 decoding begins. This vulnerability is fixed in 2.5.301 and 3.1.7.",
    "published": "2026-06-22T21:16:04.527Z",
    "modified": "2026-06-22T21:16:04.527Z",
    "type": "cve",
    "title": "MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths",
    "source": "GitHub_M",
    "references": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-v72x-2h86-7f8m",
    "id": "CVE-2026-48510",
    "bulletinFamily": "",
    "cwe": [
        "CWE-409",
        "CWE-770"
    ],
    "cvelist": null,
    "sourceData": "MessagePack-CSharp MessagePack-CSharp >= 3.1.7, < 3.1.7\nMessagePack-CSharp MessagePack-CSharp < 2.5.301",
    "sourceHref": "",
    "cvss": {
        "score": 6.3,
        "severity": "MEDIUM",
        "vector": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "MessagePack-CSharp",
    "version": ">= 3.1.7, < 3.1.7",
    "vendor": "MessagePack-CSharp",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

MessagePack-CSharp: LZ4 decompression allocates from unbounded declared output lengths_CVE-2026-48510