CVE-2026-48502

MessagePack-CSharp contains a Denial of Service vulnerability in MessagePackReader.ReadDateTime() where a stack allocation is driven by attacker-controlled extension length. In the slow path, tokenSize includes the extension body length and is used in a stackalloc before the extension length is v...

CVE-2026-48511

The CVE affects MessagePack for C# (MessagePack-CSharp) prior to versions 2.5.301 and 3.1.7. The issue lies in ExpandoObjectFormatter.Deserialize, which populates System.Dynamic.ExpandoObject by repeatedly calling IDictionary.Add for each map entry. ExpandoObject stores member names in array-like...

EUVD-2026-38385

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many...

EUVD-2026-38381

MessagePack for C is a MessagePack serializer for C. Prior to 2.5.301 and 3.1.7, MessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate T,, T,,, or T,,, before validating that the dimension product matches the encoded element count. T...

CVE-2026-48516

MessagePack-CSharp vulnerable in the InterfaceLookupFormatter before versions 2.5.301 and 3.1.7 , which constructs an internal Dictionary with the default equality comparer rather than the security-aware comparer from options.Security.GetEqualityComparer(). This omission enables a hash-collision ...