CVE-2026-44375

CVE-2026-44375 is a high-severity security vulnerability in Nerdbank.MessagePack (nuget), affecting versions < 1.1.62. It is fixed in 1.1.62.

Summary

Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process.

Workarounds

If upgrading is not yet possible, avoid deserializing untrusted MessagePack payloads into type graphs that may contain DateTime fields or properties.

Input byte-size limits alone may not fully mitigate this issue, because the malicious payload can be small while declaring a very large extension length. Possible mitigations include:

  • Pre-validating MessagePack extension headers before deserialization and rejecting timestamp extensions whose length is not 4, 8, or 12 bytes.
  • Rejecting or filtering extension type -1 timestamp values from untrusted input unless they are known to be valid.
  • Running deserialization of untrusted payloads in an isolated process that can be safely restarted after termination.
  • Restricting MessagePack deserialization to trusted producers until a patched version is available.

Resources

Impact

Applications are impacted if they deserialize MessagePack data from untrusted or attacker-controlled sources using Nerdbank.MessagePack and the target type contains a DateTime value.

A small malicious payload can cause process termination, resulting in a denial of service. This may affect services, APIs, workers, message consumers, or other long-running processes that deserialize untrusted MessagePack input.

The issue occurs because DateTime timestamp extension decoding derives tokenSize from the attacker-controlled extension length before validating that the timestamp length is one of the legal MessagePack timestamp sizes: 4, 8, or 12 bytes. When the buffer is incomplete, that unvalidated size is propagated to the streaming reader slow path, where it is used in a stackalloc.

CVE-2026-44375 has a CVSS score of 7.5 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.1.62); upgrading removes the vulnerable code path.

Affected versions

Nerdbank.MessagePack (< 1.1.62)

Security releases

Nerdbank.MessagePack → 1.1.62 (nuget)

Kodem intelligence

Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.

Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.

See it in your environment

Remediation advice

The 1.1.62 version contains the fix for this security vulnerability.

Frequently Asked Questions

  1. What is CVE-2026-44375? CVE-2026-44375 is a high-severity security vulnerability in Nerdbank.MessagePack (nuget), affecting versions < 1.1.62. It is fixed in 1.1.62.
  2. How severe is CVE-2026-44375? CVE-2026-44375 has a CVSS score of 7.5 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
  3. Which versions of Nerdbank.MessagePack are affected by CVE-2026-44375? Nerdbank.MessagePack (nuget) versions < 1.1.62 is affected.
  4. Is there a fix for CVE-2026-44375? Yes. CVE-2026-44375 is fixed in 1.1.62. Upgrade to this version or later.
  5. Is CVE-2026-44375 exploitable, and should I be worried? Whether CVE-2026-44375 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
  6. What actually determines whether CVE-2026-44375 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
  7. How do I fix CVE-2026-44375? Upgrade Nerdbank.MessagePack to 1.1.62 or later.

Other vulnerabilities in Nerdbank.MessagePack

CVE-2026-44375

Stop the waste.
Protect your environment with Kodem.