Vulnerability Details CVE-2026-48511
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, ExpandoObjectFormatter.Deserialize populates System.Dynamic.ExpandoObject by calling IDictionary<string, object>.Add for each map entry. ExpandoObject internally maintains member names in array-like structures, so inserting many distinct keys can require repeated linear scans and array copies. For large attacker-controlled maps, this produces quadratic CPU and allocation behavior. The issue is especially surprising because ExpandoObjectResolver.Options is configured with MessagePackSecurity.UntrustedData, but collision-resistant dictionary comparers cannot protect ExpandoObject insertion internals. This vulnerability is fixed in 2.5.301 and 3.1.7.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 10.8%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-48511
-
cpe:2.3:a:messagepack:messagepack:.1.7.3.5
-
cpe:2.3:a:messagepack:messagepack:.1.7.3.6
-
cpe:2.3:a:messagepack:messagepack:1.0.1
-
cpe:2.3:a:messagepack:messagepack:1.0.2
-
cpe:2.3:a:messagepack:messagepack:1.0.3
-
cpe:2.3:a:messagepack:messagepack:1.1.0
-
cpe:2.3:a:messagepack:messagepack:1.1.1
-
cpe:2.3:a:messagepack:messagepack:1.1.2
-
cpe:2.3:a:messagepack:messagepack:1.2.0
-
cpe:2.3:a:messagepack:messagepack:1.2.1
-
cpe:2.3:a:messagepack:messagepack:1.2.3
-
cpe:2.3:a:messagepack:messagepack:1.3.0
-
cpe:2.3:a:messagepack:messagepack:1.3.1
-
cpe:2.3:a:messagepack:messagepack:1.3.2
-
cpe:2.3:a:messagepack:messagepack:1.3.3
-
cpe:2.3:a:messagepack:messagepack:1.4.0
-
cpe:2.3:a:messagepack:messagepack:1.4.1
-
cpe:2.3:a:messagepack:messagepack:1.4.2
-
cpe:2.3:a:messagepack:messagepack:1.4.3
-
cpe:2.3:a:messagepack:messagepack:1.4.4
-
cpe:2.3:a:messagepack:messagepack:1.5.0
-
cpe:2.3:a:messagepack:messagepack:1.5.1
-
cpe:2.3:a:messagepack:messagepack:1.6.0
-
cpe:2.3:a:messagepack:messagepack:1.6.1
-
cpe:2.3:a:messagepack:messagepack:1.6.1.2
-
cpe:2.3:a:messagepack:messagepack:1.6.2
-
cpe:2.3:a:messagepack:messagepack:1.7.0
-
cpe:2.3:a:messagepack:messagepack:1.7.1
-
cpe:2.3:a:messagepack:messagepack:1.7.2
-
cpe:2.3:a:messagepack:messagepack:1.7.3
-
cpe:2.3:a:messagepack:messagepack:1.7.3.1
-
cpe:2.3:a:messagepack:messagepack:1.7.3.2
-
cpe:2.3:a:messagepack:messagepack:1.7.3.3
-
cpe:2.3:a:messagepack:messagepack:1.7.3.4
-
cpe:2.3:a:messagepack:messagepack:1.7.3.7
-
cpe:2.3:a:messagepack:messagepack:1.9.3
-
cpe:2.3:a:messagepack:messagepack:2.0.110
-
cpe:2.3:a:messagepack:messagepack:2.0.119
-
cpe:2.3:a:messagepack:messagepack:2.0.123
-
cpe:2.3:a:messagepack:messagepack:2.0.204
-
cpe:2.3:a:messagepack:messagepack:2.0.270
-
cpe:2.3:a:messagepack:messagepack:2.0.299
-
cpe:2.3:a:messagepack:messagepack:2.0.323
-
cpe:2.3:a:messagepack:messagepack:2.0.335
-
cpe:2.3:a:messagepack:messagepack:2.0.94
-
cpe:2.3:a:messagepack:messagepack:2.1.115
-
cpe:2.3:a:messagepack:messagepack:2.1.143
-
cpe:2.3:a:messagepack:messagepack:2.1.152
-
cpe:2.3:a:messagepack:messagepack:2.1.165
-
cpe:2.3:a:messagepack:messagepack:2.1.194
-
cpe:2.3:a:messagepack:messagepack:2.1.80
-
cpe:2.3:a:messagepack:messagepack:2.1.90
-
cpe:2.3:a:messagepack:messagepack:2.2.113
-
cpe:2.3:a:messagepack:messagepack:2.2.36
-
cpe:2.3:a:messagepack:messagepack:2.2.44
-
cpe:2.3:a:messagepack:messagepack:2.2.60
-
cpe:2.3:a:messagepack:messagepack:2.2.85
-
cpe:2.3:a:messagepack:messagepack:2.3.112
-
cpe:2.3:a:messagepack:messagepack:2.3.58
-
cpe:2.3:a:messagepack:messagepack:2.3.73
-
cpe:2.3:a:messagepack:messagepack:2.3.75
-
cpe:2.3:a:messagepack:messagepack:2.3.85
-
cpe:2.3:a:messagepack:messagepack:2.4.14
-
cpe:2.3:a:messagepack:messagepack:2.4.23
-
cpe:2.3:a:messagepack:messagepack:2.4.35
-
cpe:2.3:a:messagepack:messagepack:2.4.59
-
cpe:2.3:a:messagepack:messagepack:2.5.103
-
cpe:2.3:a:messagepack:messagepack:2.5.108
-
cpe:2.3:a:messagepack:messagepack:2.5.124
-
cpe:2.3:a:messagepack:messagepack:2.5.129
-
cpe:2.3:a:messagepack:messagepack:2.5.140
-
cpe:2.3:a:messagepack:messagepack:2.5.168
-
cpe:2.3:a:messagepack:messagepack:2.5.171
-
cpe:2.3:a:messagepack:messagepack:2.5.172
-
cpe:2.3:a:messagepack:messagepack:2.5.187
-
cpe:2.3:a:messagepack:messagepack:2.5.192
-
cpe:2.3:a:messagepack:messagepack:2.5.198
-
cpe:2.3:a:messagepack:messagepack:2.5.205
-
cpe:2.3:a:messagepack:messagepack:2.5.64
-
cpe:2.3:a:messagepack:messagepack:2.5.94
-
cpe:2.3:a:messagepack:messagepack:3.0.111
-
cpe:2.3:a:messagepack:messagepack:3.0.129
-
cpe:2.3:a:messagepack:messagepack:3.0.134
-
cpe:2.3:a:messagepack:messagepack:3.0.208
-
cpe:2.3:a:messagepack:messagepack:3.0.214
-
cpe:2.3:a:messagepack:messagepack:3.0.233
-
cpe:2.3:a:messagepack:messagepack:3.0.238
-
cpe:2.3:a:messagepack:messagepack:3.0.3
-
cpe:2.3:a:messagepack:messagepack:3.0.300
-
cpe:2.3:a:messagepack:messagepack:3.0.301
-
cpe:2.3:a:messagepack:messagepack:3.0.54
-
cpe:2.3:a:messagepack:messagepack:3.1.0
-
cpe:2.3:a:messagepack:messagepack:3.1.1
-
cpe:2.3:a:messagepack:messagepack:3.1.2
-
cpe:2.3:a:messagepack:messagepack:3.1.3
-
cpe:2.3:a:messagepack:messagepack:3.1.4
-
cpe:2.3:a:messagepack:messagepack:3.1.5
-
cpe:2.3:a:messagepack:messagepack:3.1.6