CVE-2026-44375

Name of the Vulnerable Software and Affected Versions Nerdbank.MessagePack versions prior to 1.1.62

Description An uncontrolled stack allocation issue exists in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, leading the reader to allocate an attacker-controlled number of bytes on the stack. This occurs because the tokenSize is derived from the extension length before validating that it matches legal MessagePack timestamp sizes (4, 8, or 12 bytes). When the buffer is incomplete, this unvalidated size is used in a stackalloc operation, triggering a StackOverflowException that terminates the process and results in a denial of service. This affects applications deserializing MessagePack data from untrusted sources where the target type contains a DateTime value.

Recommendations Update to version 1.1.62. Avoid deserializing untrusted MessagePack payloads into type graphs containing DateTime fields or properties. Pre-validate MessagePack extension headers and reject timestamp extensions with lengths other than 4, 8, or 12 bytes. Reject or filter extension type -1 timestamp values from untrusted input. Run deserialization of untrusted payloads in an isolated process that can be safely restarted. Restrict MessagePack deserialization to trusted producers.