CVE-2026-48512

HIGH

CVSS v3.1: 7.5 · EPSS: 0.0021 (10.8 percentile)

NetworkNo privilegesNo user interactionUncontrolled RecursionVendor advisory ref

Source data as of:

At a glance

Severity
HIGH
CVSS
7.5 v3.1 · NVD
EPSS
0.0021 (10.8 percentile) · FIRST.org
CISA KEV
No
Type
Uncontrolled Recursion · NVD CWE
Attack conditions (CVSS vector)
NetworkNo privilegesNo user interaction · Source: NVD Vector
Affected vendors
messagepack
Published
2026-06-22 · Modified: 2026-06-23
References
Jump to references (1)

CVSS / EPSS / KEV

CVSS v3.1 7.5 / 10 HIGH Source: NVD
CVSS v4.0 6.3 / 10 MEDIUM Source: NVD
EPSS 0.0021 10.8 percentile Source: FIRST.org
CISA KEV No Source: CISA

Source — CVSS: NVD · EPSS: FIRST.org · KEV: CISA. Data & Sources

Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's JSON conversion helpers contain multiple recursion paths that do not consistently enforce a depth limit. These paths are in the JSON conversion component rather than normal typed MessagePack deserialization. MessagePackSerializer.ConvertFromJson recursively processes nested JSON arrays and objects in FromJsonCore() without consulting MessagePackSecurity.MaximumObjectGraphDepth. TinyJsonReader.ReadNextToken() recursively consumes comma and colon separator characters, allowing even malformed JSON with long separator runs to consume one stack frame per character. MessagePackSerializer.ConvertToJson applies depth checks to arrays and maps, but the typeless extension branch for ext-100 recursively calls ToJsonCore() without applying MessagePackSecurity.DepthStep(ref reader). Each path can allow attacker-controlled input to exhaust the process stack and trigger an uncatchable StackOverflowException instead of failing with a catchable parse or serialization exception. This vulnerability is fixed in 2.5.301 and 3.1.7.

Record details

CVE ID
CVE-2026-48512
CVSS (v3.1)
7.5 (HIGH)
Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Exploitability subscore
3.9
Impact subscore
3.6
EPSS
0.0021 (10.8 percentile) — 2026-06-24
CISA KEV
No
Weakness (CWE)
CWE-674
Affected vendors
messagepack
Affected configurations (CPE)
2
Published
2026-06-22
Modified
2026-06-23
Status
Analyzed

References

Reference URLs as listed by NVD, grouped by a mechanical match on the link's host/pattern. Labels describe the link type only.

Related records

Other records sharing a factual facet, for cross-reference. A descriptive neighbourhood — ordering does not imply priority and is not a recommendation.

Same affected vendor

CVE-2026-48509 CRITICAL CVSS 9.1 CVE-2026-48109 HIGH CVSS 8.2 CVE-2026-48502 HIGH CVSS 7.5 CVE-2026-48506 HIGH CVSS 7.5

Same weakness type (CWE)

CVE-2026-48502 HIGH CVSS 7.5 CVE-2026-48506 HIGH CVSS 7.5 CVE-2026-48513 HIGH CVSS 7.5 CVE-2026-48712 HIGH CVSS 7.5

Published the same year

CVE-2026-10561 CRITICAL CVSS 10.0 CVE-2026-27604 CRITICAL CVSS 10.0 CVE-2026-34908 CRITICAL CVSS 10.0 KEV CVE-2026-34909 CRITICAL CVSS 10.0 KEV
← Back to all records