Vulnerability Details CVE-2026-48516
MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, InterfaceLookupFormatter<TKey,TElement> constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> with the default equality comparer instead of the security-aware comparer supplied by options.Security.GetEqualityComparer<TKey>(). This formatter omission allows hash-collision CPU denial of service against ILookup<TKey,TElement> even when the application has opted into the untrusted-data security posture This vulnerability is fixed in 2.5.301 and 3.1.7.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.002
EPSS Ranking 10.8%
CVSS Severity
CVSS v3 Score 7.5
References
Products affected by CVE-2026-48516
-
cpe:2.3:a:messagepack:messagepack:.1.7.3.5
-
cpe:2.3:a:messagepack:messagepack:.1.7.3.6
-
cpe:2.3:a:messagepack:messagepack:1.0.1
-
cpe:2.3:a:messagepack:messagepack:1.0.2
-
cpe:2.3:a:messagepack:messagepack:1.0.3
-
cpe:2.3:a:messagepack:messagepack:1.1.0
-
cpe:2.3:a:messagepack:messagepack:1.1.1
-
cpe:2.3:a:messagepack:messagepack:1.1.2
-
cpe:2.3:a:messagepack:messagepack:1.2.0
-
cpe:2.3:a:messagepack:messagepack:1.2.1
-
cpe:2.3:a:messagepack:messagepack:1.2.3
-
cpe:2.3:a:messagepack:messagepack:1.3.0
-
cpe:2.3:a:messagepack:messagepack:1.3.1
-
cpe:2.3:a:messagepack:messagepack:1.3.2
-
cpe:2.3:a:messagepack:messagepack:1.3.3
-
cpe:2.3:a:messagepack:messagepack:1.4.0
-
cpe:2.3:a:messagepack:messagepack:1.4.1
-
cpe:2.3:a:messagepack:messagepack:1.4.2
-
cpe:2.3:a:messagepack:messagepack:1.4.3
-
cpe:2.3:a:messagepack:messagepack:1.4.4
-
cpe:2.3:a:messagepack:messagepack:1.5.0
-
cpe:2.3:a:messagepack:messagepack:1.5.1
-
cpe:2.3:a:messagepack:messagepack:1.6.0
-
cpe:2.3:a:messagepack:messagepack:1.6.1
-
cpe:2.3:a:messagepack:messagepack:1.6.1.2
-
cpe:2.3:a:messagepack:messagepack:1.6.2
-
cpe:2.3:a:messagepack:messagepack:1.7.0
-
cpe:2.3:a:messagepack:messagepack:1.7.1
-
cpe:2.3:a:messagepack:messagepack:1.7.2
-
cpe:2.3:a:messagepack:messagepack:1.7.3
-
cpe:2.3:a:messagepack:messagepack:1.7.3.1
-
cpe:2.3:a:messagepack:messagepack:1.7.3.2
-
cpe:2.3:a:messagepack:messagepack:1.7.3.3
-
cpe:2.3:a:messagepack:messagepack:1.7.3.4
-
cpe:2.3:a:messagepack:messagepack:1.7.3.7
-
cpe:2.3:a:messagepack:messagepack:1.9.3
-
cpe:2.3:a:messagepack:messagepack:2.0.110
-
cpe:2.3:a:messagepack:messagepack:2.0.119
-
cpe:2.3:a:messagepack:messagepack:2.0.123
-
cpe:2.3:a:messagepack:messagepack:2.0.204
-
cpe:2.3:a:messagepack:messagepack:2.0.270
-
cpe:2.3:a:messagepack:messagepack:2.0.299
-
cpe:2.3:a:messagepack:messagepack:2.0.323
-
cpe:2.3:a:messagepack:messagepack:2.0.335
-
cpe:2.3:a:messagepack:messagepack:2.0.94
-
cpe:2.3:a:messagepack:messagepack:2.1.115
-
cpe:2.3:a:messagepack:messagepack:2.1.143
-
cpe:2.3:a:messagepack:messagepack:2.1.152
-
cpe:2.3:a:messagepack:messagepack:2.1.165
-
cpe:2.3:a:messagepack:messagepack:2.1.194
-
cpe:2.3:a:messagepack:messagepack:2.1.80
-
cpe:2.3:a:messagepack:messagepack:2.1.90
-
cpe:2.3:a:messagepack:messagepack:2.2.113
-
cpe:2.3:a:messagepack:messagepack:2.2.36
-
cpe:2.3:a:messagepack:messagepack:2.2.44
-
cpe:2.3:a:messagepack:messagepack:2.2.60
-
cpe:2.3:a:messagepack:messagepack:2.2.85
-
cpe:2.3:a:messagepack:messagepack:2.3.112
-
cpe:2.3:a:messagepack:messagepack:2.3.58
-
cpe:2.3:a:messagepack:messagepack:2.3.73
-
cpe:2.3:a:messagepack:messagepack:2.3.75
-
cpe:2.3:a:messagepack:messagepack:2.3.85
-
cpe:2.3:a:messagepack:messagepack:2.4.14
-
cpe:2.3:a:messagepack:messagepack:2.4.23
-
cpe:2.3:a:messagepack:messagepack:2.4.35
-
cpe:2.3:a:messagepack:messagepack:2.4.59
-
cpe:2.3:a:messagepack:messagepack:2.5.103
-
cpe:2.3:a:messagepack:messagepack:2.5.108
-
cpe:2.3:a:messagepack:messagepack:2.5.124
-
cpe:2.3:a:messagepack:messagepack:2.5.129
-
cpe:2.3:a:messagepack:messagepack:2.5.140
-
cpe:2.3:a:messagepack:messagepack:2.5.168
-
cpe:2.3:a:messagepack:messagepack:2.5.171
-
cpe:2.3:a:messagepack:messagepack:2.5.172
-
cpe:2.3:a:messagepack:messagepack:2.5.187
-
cpe:2.3:a:messagepack:messagepack:2.5.192
-
cpe:2.3:a:messagepack:messagepack:2.5.198
-
cpe:2.3:a:messagepack:messagepack:2.5.205
-
cpe:2.3:a:messagepack:messagepack:2.5.64
-
cpe:2.3:a:messagepack:messagepack:2.5.94
-
cpe:2.3:a:messagepack:messagepack:3.0.111
-
cpe:2.3:a:messagepack:messagepack:3.0.129
-
cpe:2.3:a:messagepack:messagepack:3.0.134
-
cpe:2.3:a:messagepack:messagepack:3.0.208
-
cpe:2.3:a:messagepack:messagepack:3.0.214
-
cpe:2.3:a:messagepack:messagepack:3.0.233
-
cpe:2.3:a:messagepack:messagepack:3.0.238
-
cpe:2.3:a:messagepack:messagepack:3.0.3
-
cpe:2.3:a:messagepack:messagepack:3.0.300
-
cpe:2.3:a:messagepack:messagepack:3.0.301
-
cpe:2.3:a:messagepack:messagepack:3.0.54
-
cpe:2.3:a:messagepack:messagepack:3.1.0
-
cpe:2.3:a:messagepack:messagepack:3.1.1
-
cpe:2.3:a:messagepack:messagepack:3.1.2
-
cpe:2.3:a:messagepack:messagepack:3.1.3
-
cpe:2.3:a:messagepack:messagepack:3.1.4
-
cpe:2.3:a:messagepack:messagepack:3.1.5
-
cpe:2.3:a:messagepack:messagepack:3.1.6