CVE-2026-48502
Published: 22 June 2026
Summary
CVE-2026-48502 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Messagepack Messagepack. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-38389
Vulnerability details
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension…
more
body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability enables remote DoS via stack exhaustion from attacker-controlled allocation size in deserialization, directly matching T1499.004 Application or System Exploitation.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Addresses inefficient algorithms whose complexity can be exploited for DoS.
Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.
Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.
Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.
Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.
Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.
Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.