Ctrl + K
/ news / CVE
CVEPublished 2026-06-22Modified 2026-06-230 articles on news6 live referencesNVD data

CVE-2026-48502Messagepack · Messagepack

Vulnerability data via NVD (ingested)

CVSS v3.1
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS percentile
Weaknesses (CWE)
CWE-125Out-of-bounds ReadCWE-190Integer Overflow or WraparoundCWE-407Inefficient Algorithmic ComplexityCWE-409Improper Handling of Highly Compressed Data (Data Amplification)CWE-470Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')CWE-502Deserialization of Untrusted DataCWE-674Uncontrolled RecursionCWE-789Memory Allocation with Excessive Size ValueCWE-1188Initialization of a Resource with an Insecure Default
Description

MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, MessagePackReader.ReadDateTime() can allocate stack memory based on an attacker-controlled MessagePack extension length. In the slow path for timestamp extension parsing, the computed tokenSize includes the extension body length from the wire and is used in a stackalloc operation before the extension length is validated as one of the valid timestamp sizes. A very small payload can claim a large timestamp extension body and cause a stack allocation large enough to trigger an uncatchable StackOverflowException, terminating the host process. This vulnerability is fixed in 2.5.301 and 3.1.7.

Timeline
Published 2026-06-22
Modified 2026-06-23

External references

NVDMITREExploit-DBGitHub PoCSploitusVulnCheck

Search for exposed instances

Shodan + Censys queries derived from NVD's CPE data. The vuln tag catches assets Shodan has explicitly linked to this CVE; the product / banner fingerprints find exposed instances even when the vuln tag was never applied (which is common).

Shodan · vuln tag0 hosts
vuln:CVE-2026-48502
Hosts Shodan has explicitly fingerprinted as vulnerable.
Shodan · product
product:"Messagepack Messagepack"
All exposed Messagepack Messagepack instances — cross-reference with the CVE's affected-version range.
Shodan · banner/body mention
http.html:"Messagepack"
HTTP body or banner mentions "Messagepack" — catches deploys Shodan didn't identify as a product.
More intel sources (5)
Shodan report
vuln:CVE-2026-48502
Country / ASN / product breakdown for the vuln query.
Censys
vulnerabilities.cve_id: CVE-2026-48502
Censys host search filtered to this CVE id.
grep.app
CVE-2026-48502
Public source-code mentions — fast PoC discovery.
GitHub code
CVE-2026-48502
GitHub code search for direct mentions.
Google dork
"CVE-2026-48502" exploit -site:nvd.nist.gov
Write-ups and news, NVD excluded.

Known PoCs on GitHub

No public proof-of-concept repositories found for CVE-2026-48502 on GitHub.
We haven't classified any articles referencing CVE-2026-48502 yet. The external references above still apply.