MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation. This vulnerability is fixed in 2.5.301 and 3.1.7.
PUBLISHED5.2CWE-770
MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
Problem type
Affected products
MessagePack-CSharp
MessagePack-CSharp
>= 3.1.7, < 3.1.7 - AFFECTED
< 2.5.301 - AFFECTED
References
GitHub Security Advisories
GHSA-w567-gjr2-hm5j
MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
https://github.com/advisories/GHSA-w567-gjr2-hm5jSummary
UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes.
The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation.
Impact
Applications are affected when they deserialize untrusted payloads using Unity blit resolvers such as UnityBlitResolver or UnityBlitWithPrimitiveArrayResolver.
This is especially relevant to Unity multiplayer clients or servers that use MessagePack-CSharp for networked values such as vectors, matrices, or primitive arrays. A hostile peer can send an extension payload with a large declared byte length and cause an out-of-memory exception or process termination on memory-constrained platforms.
The resolver is opt-in, but the vulnerable value is pure wire input and the allocation happens before the formatter verifies that the declared bytes are actually present in the extension body.
Affected components
- Package:
MessagePack.UnityClient - Resolvers:
UnityBlitResolver,UnityBlitWithPrimitiveArrayResolver - API:
UnsafeBlitFormatterBase<T>.Deserialize - Finding IDs:
MESSAGEPACKCSHARP-080, duplicate/open variantMESSAGEPACKCSHARP-OPEN-010
Patches
Fixes are prepared and will be released in coordinated patch versions.
Upgrade guidance:
- Upgrade
MessagePack.UnityClientto the patched version for your release line. - Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions.
The fix should validate byteLength before allocation. It should reject negative lengths, lengths greater than the extension body length after metadata, and lengths that are not a valid multiple of the element size.
Workarounds
Patching is recommended.
Until a patched version is available, do not use Unity blit resolvers on data received from untrusted peers. Use safer resolvers or explicitly validate and size-limit messages before deserialization.
Resources
MESSAGEPACKCSHARP-080: unsafe blit formatter allocation from unbounded byte lengthMESSAGEPACKCSHARP-OPEN-010: duplicate/open finding for the same root cause- CWE-770: Allocation of Resources Without Limits or Throttling
JSON source
https://cveawg.mitre.org/api/cve/CVE-2026-48514Click to expand
{
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"cveMetadata": {
"cveId": "CVE-2026-48514",
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:11:35.224Z",
"dateReserved": "2026-05-21T16:18:10.618Z",
"datePublished": "2026-06-22T21:11:35.224Z",
"state": "PUBLISHED"
},
"containers": {
"cna": {
"providerMetadata": {
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M",
"dateUpdated": "2026-06-22T21:11:35.224Z"
},
"title": "MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length",
"descriptions": [
{
"lang": "en",
"value": "MessagePack for C# is a MessagePack serializer for C#. Prior to 2.5.301 and 3.1.7, UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation. This vulnerability is fixed in 2.5.301 and 3.1.7."
}
],
"affected": [
{
"vendor": "MessagePack-CSharp",
"product": "MessagePack-CSharp",
"versions": [
{
"version": ">= 3.1.7, < 3.1.7",
"status": "affected"
},
{
"version": "< 2.5.301",
"status": "affected"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"lang": "en",
"description": "CWE-770: Allocation of Resources Without Limits or Throttling",
"cweId": "CWE-770",
"type": "CWE"
}
]
}
],
"references": [
{
"url": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-w567-gjr2-hm5j",
"name": "https://github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-w567-gjr2-hm5j",
"tags": [
"x_refsource_CONFIRM"
]
}
],
"metrics": [
{}
]
}
}
}