CVE-2026-48502 is a high-severity out-of-bounds read vulnerability in MessagePack (nuget), affecting versions >= 3.0, < 3.1.7. It is fixed in 3.1.7.
Summary MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. Impact Applications are affected when they deserialize untrusted payloads into types containing DateTime values. This path is available through the standard formatter set and does not require opting into typeless serialization, LZ4 compression, Unity-specific resolvers, or other specialized features. MessagePackSecurity.UntrustedData and MaximumObjectGraphDepth do not mitigate this issue because the crash is caused by a single-frame stack allocation, not by object graph recursion. An attacker can send a MessagePack timestamp extension header with an oversized body length and insufficient body bytes. The reader enters the slow path, attempts to stack-allocate a buffer sized from that declared length, and can terminate the process before a catchable serialization exception is thrown. Affected components Package: MessagePack API: MessagePackReader.ReadDateTime Data types: DateTime and formatter paths that call ReadDateTime Finding IDs: MESSAGEPACKCSHARP-020, related stack allocation finding MESSAGEPACKCSHARP-CROW-MEM-001 Patches Fixes are prepared and will be released in coordinated patch versions. Upgrade guidance: Upgrade MessagePack to the patched version for your release line. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions. The fix should validate timestamp extension lengths before any stack allocation. Valid MessagePack timestamp payload lengths are limited to the supported timestamp encodings, so oversized extension lengths should fail with a catchable MessagePack serialization exception before the slow path allocates a buffer. Workarounds Patching is recommended. Until a patched version is available, avoid deserializing untrusted MessagePack payloads into schemas that contain DateTime or DateTimeOffset values. Where possible, enforce strict maximum message sizes and reject malformed extension payloads before they reach MessagePack-CSharp. There is no complete workaround for applications that must deserialize attacker-controlled MessagePack data containing date/time fields with affected versions. Resources MESSAGEPACKCSHARP-020: ReadDateTime stack allocation from attacker-controlled extension length MESSAGEPACKCSHARP-CROW-MEM-001: related attacker-controlled stack allocation finding in MessagePackReader CWE-770: Allocation of Resources Without Limits or Throttling CVE split rationale This vulnerability is independently fixable in the DateTime extension parsing path by validating extension lengths before stack allocation. It is separate from recursive stack overflows, LZ4 issues, and collection allocation bugs.
A read operation accesses a memory location beyond the intended buffer boundary. Typical impact: sensitive data disclosure or crash.
nuget
MessagePack (>= 3.0, < 3.1.7)MessagePack → 3.1.7 (nuget)Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter instead of chasing every advisory.
Kodem's Application Detection and Response identifies whether CVE-2026-48502 is reachable in your applications. Explore runtime application protection for your team.
See if CVE-2026-48502 is reachable in your applications. Get a demo
Already deployed Kodem? See CVE-2026-48502 in your environment →Upgrade MessagePack to 3.1.7 or later to resolve this vulnerability.
Kodem Kai can prioritize this vulnerability in your dependency tree and generate a fix recommendation.
CVE-2026-48502 is a high-severity out-of-bounds read vulnerability in MessagePack (nuget), affecting versions >= 3.0, < 3.1.7. It is fixed in 3.1.7. A read operation accesses a memory location beyond the intended buffer boundary.
MessagePack (nuget) versions >= 3.0, < 3.1.7 is affected.
Yes. CVE-2026-48502 is fixed in 3.1.7. Upgrade to this version or later.
Whether CVE-2026-48502 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
Upgrade MessagePack to 3.1.7 or later.