Cyber Resilience

CVE-2026-48502

Published: 22 June 2026

Published
22 June 2026
Modified
23 June 2026
KEV Added
Patch
CVSS Score v4 8.2 CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0026 16.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-48502 is a high-severity Out-of-bounds Read (CWE-125) vulnerability in Messagepack Messagepack. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 16.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension…

more

body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

Vulnerability enables remote DoS via stack exhaustion from attacker-controlled allocation size in deserialization, directly matching T1499.004 Application or System Exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

Affected Assets

messagepack
messagepack
≤ 2.5.301 · 3.0.3 — 3.1.7

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

Addresses inefficient algorithms whose complexity can be exploited for DoS.

addresses: CWE-502 CWE-470

Untrusted serialized data can be deserialized and observed inside the chamber, blocking gadget-chain exploitation outside the sandbox.

addresses: CWE-502

Penetration testing supplies malicious serialized objects, detecting unsafe deserialization and supporting corrective actions.

addresses: CWE-1188

Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.

addresses: CWE-1188

Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.

addresses: CWE-1188

Requiring explicit configuration to minimal functionality overrides insecure defaults that would otherwise enable excess capabilities.

addresses: CWE-674

Supports resumption at alternate site when uncontrolled recursion causes primary site failure or crash.

addresses: CWE-1188

Tailoring replaces or augments insecure default initializations with system-specific values and compensating controls before deployment.

References