CVE-2026-44375

HIGH SEVERITY

CVSS Score & Metrics

Base Score

7.5 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H                                    

Vulnerability Description

Nerdbank.MessagePack is a NativeAOT-compatible MessagePack serialization library. Prior to 1.1.62, Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process. This vulnerability is fixed in 1.1.62.

Vulnerability Details

Published Date

May 06, 2026

Last Modified

May 14, 2026

CWE ID

CWE-789

Source

GitHub

Vendor

nuget

Product

Nerdbank.MessagePack

External References

https://github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3
https://github.com/AArnott/Nerdbank.MessagePack/pull/941
https://github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30
https://github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62
https://github.com/msgpack/msgpack/blob/master/spec.md#timestamp-extension-type
https://github.com/advisories/GHSA-2cwq-pwfr-wcw3

CVE-2026-44375

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment