EXECUTIVE SUMMARY:
CVE-2026-48109 with a CVSS score of 8.2 is a memory‑bounds error in the optional LZ4 decompression path of the MessagePack .NET library (nuget/MessagePack) affecting versions prior to 2.5.301 and versions from 3.0.214‑rc.1 up to but not including 3.1.7. The library’s fast‑decompression routine does not enforce a source‑length bound, so a remote attacker who can supply a crafted MessagePack payload containing manipulated LZ4 token and length fields can force the decoder to read beyond the input buffer. Exploitation requires only the ability to deliver the malicious payload to any component that deserializes untrusted data with LZ4 compression enabled; no special privileges or authentication are needed. Successful exploitation triggers an AccessViolationException, causing the hosting process to terminate and potentially revealing a small amount of adjacent memory before the crash. The primary business impact is a denial‑of‑service condition that can interrupt services, degrade availability, and in some scenarios expose sensitive memory contents, especially for APIs or services that process external data streams. Exploitation is contingent on LZ4 compression being enabled for the deserialization path and on the application accepting attacker‑controlled MessagePack inputs.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-48109 with a CVSS score of 8.2 is a memory‑bounds error in the optional LZ4 decompression path of the MessagePack .NET library (nuget/MessagePack) affecting versions prior to 2.5.301 and versions from 3.0.214‑rc.1 up to but not including 3.1.7. The library’s fast‑decompression routine does not enforce a source‑length bound, so a remote attacker who can supply a crafted MessagePack payload containing manipulated LZ4 token and length fields can force the decoder to read beyond the input buffer. Exploitation requires only the ability to deliver the malicious payload to any component that deserializes untrusted data with LZ4 compression enabled; no special privileges or authentication are needed. Successful exploitation triggers an AccessViolationException, causing the hosting process to terminate and potentially revealing a small amount of adjacent memory before the crash. The primary business impact is a denial‑of‑service condition that can interrupt services, degrade availability, and in some scenarios expose sensitive memory contents, especially for APIs or services that process external data streams. Exploitation is contingent on LZ4 compression being enabled for the deserialization path and on the application accepting attacker‑controlled MessagePack inputs.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://github.com/advisories/GHSA-hv8m-jj95-wg3x