Skip to content

Commit 555ff3b

Browse files
1 parent 3fb531e commit 555ff3b

2 files changed

Lines changed: 160 additions & 0 deletions

File tree

Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-cxmj-83gh-fp49",
4+
"modified": "2026-06-25T21:26:43Z",
5+
"published": "2026-06-25T21:26:43Z",
6+
"aliases": [
7+
"CVE-2026-48515"
8+
],
9+
"summary": "MessagePack-CSharp: Multi-dimensional array formatters allocate from unchecked dimensions",
10+
"details": "## Summary\n\nMessagePack-CSharp's multi-dimensional array formatters read dimension lengths directly from the payload and allocate `T[,]`, `T[,,]`, or `T[,,,]` before validating that the dimension product matches the encoded element count.\n\nThe formatter reads a guarded element array header, but allocation of the target multi-dimensional array happens before the dimensions are checked against that element count. A small payload can therefore declare large dimensions, provide an empty or tiny inner array, and cause a large heap allocation before element data is validated.\n\n## Impact\n\nApplications are affected when they deserialize untrusted MessagePack payloads into models containing multi-dimensional arrays such as `T[,]`, `T[,,]`, or `T[,,,]`.\n\nAn attacker can encode large dimension integers and a small guarded element array. The formatter allocates the target array from the dimensions before confirming that the product of dimensions is consistent with the element count.\n\nThe result can be out-of-memory exceptions, container termination on memory-constrained hosts, large object heap pressure, or severe CPU cost from zero-initializing oversized arrays. `MessagePackSecurity.UntrustedData` does not provide a general allocation cap for this path.\n\n## Affected components\n\n- Package: `MessagePack`\n- APIs: `TwoDimensionalArrayFormatter<T>.Deserialize`, `ThreeDimensionalArrayFormatter<T>.Deserialize`, `FourDimensionalArrayFormatter<T>.Deserialize`\n- Data shapes: `T[,]`, `T[,,]`, and `T[,,,]`\n- Finding IDs: `MESSAGEPACKCSHARP-040`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-003`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should validate dimensions before allocation. Dimension values should be non-negative, their checked product should match the encoded element count, and the product should be bounded by the available payload and any configured security limits before `new T[...]` is executed.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, avoid deserializing untrusted payloads into schemas containing multi-dimensional arrays. Prefer schema shapes that can be validated before allocation, such as bounded lists, dictionaries with application-level count limits, or jagged arrays with application-level limits.\n\nMessage-size limits reduce the blast radius but do not fully address allocation amplification where a small payload can encode disproportionate array dimensions.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-040`: unchecked multi-dimensional array dimensions\n- `MESSAGEPACKCSHARP-OPEN-003`: duplicate/open finding for the multi-dimensional array issue\n- CWE-770: Allocation of Resources Without Limits or Throttling",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "NuGet",
21+
"name": "MessagePack"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.5.301"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "NuGet",
40+
"name": "MessagePack"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "3.0"
48+
},
49+
{
50+
"fixed": "3.1.7"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-cxmj-83gh-fp49"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48515"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-770"
74+
],
75+
"severity": "MODERATE",
76+
"github_reviewed": true,
77+
"github_reviewed_at": "2026-06-25T21:26:43Z",
78+
"nvd_published_at": "2026-06-22T22:16:48Z"
79+
}
80+
}
Lines changed: 80 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,80 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-w567-gjr2-hm5j",
4+
"modified": "2026-06-25T21:25:21Z",
5+
"published": "2026-06-25T21:25:21Z",
6+
"aliases": [
7+
"CVE-2026-48514"
8+
],
9+
"summary": "MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length",
10+
"details": "## Summary\n\n`UnsafeBlitFormatterBase<T>.Deserialize` reads an attacker-controlled `byteLength` from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes.\n\nThe outer extension header is bounded by available input, but that bound is not used to constrain the inner `byteLength` before allocation. A very small payload can therefore request a very large `T[]` allocation.\n\n## Impact\n\nApplications are affected when they deserialize untrusted payloads using Unity blit resolvers such as `UnityBlitResolver` or `UnityBlitWithPrimitiveArrayResolver`.\n\nThis is especially relevant to Unity multiplayer clients or servers that use MessagePack-CSharp for networked values such as vectors, matrices, or primitive arrays. A hostile peer can send an extension payload with a large declared byte length and cause an out-of-memory exception or process termination on memory-constrained platforms.\n\nThe resolver is opt-in, but the vulnerable value is pure wire input and the allocation happens before the formatter verifies that the declared bytes are actually present in the extension body.\n\n## Affected components\n\n- Package: `MessagePack.UnityClient`\n- Resolvers: `UnityBlitResolver`, `UnityBlitWithPrimitiveArrayResolver`\n- API: `UnsafeBlitFormatterBase<T>.Deserialize`\n- Finding IDs: `MESSAGEPACKCSHARP-080`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-010`\n\n## Patches\n\nFixes are prepared and will be released in coordinated patch versions.\n\nUpgrade guidance:\n\n1. Upgrade `MessagePack.UnityClient` to the patched version for your release line.\n2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.\n\nThe fix should validate `byteLength` before allocation. It should reject negative lengths, lengths greater than the extension body length after metadata, and lengths that are not a valid multiple of the element size.\n\n## Workarounds\n\nPatching is recommended.\n\nUntil a patched version is available, do not use Unity blit resolvers on data received from untrusted peers. Use safer resolvers or explicitly validate and size-limit messages before deserialization.\n\n## Resources\n\n- `MESSAGEPACKCSHARP-080`: unsafe blit formatter allocation from unbounded byte length\n- `MESSAGEPACKCSHARP-OPEN-010`: duplicate/open finding for the same root cause\n- CWE-770: Allocation of Resources Without Limits or Throttling",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "NuGet",
21+
"name": "MessagePack"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.5.301"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "NuGet",
40+
"name": "MessagePack"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "3.0"
48+
},
49+
{
50+
"fixed": "3.1.7"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-w567-gjr2-hm5j"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48514"
65+
},
66+
{
67+
"type": "PACKAGE",
68+
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp"
69+
}
70+
],
71+
"database_specific": {
72+
"cwe_ids": [
73+
"CWE-770"
74+
],
75+
"severity": "MODERATE",
76+
"github_reviewed": true,
77+
"github_reviewed_at": "2026-06-25T21:25:21Z",
78+
"nvd_published_at": "2026-06-22T22:16:48Z"
79+
}
80+
}

0 commit comments

Comments
 (0)