CVE-2026-48109
MessagePack's LZ4 decompression may fail with AccessViolationException after dereferencing memory from bad input
描述
### Impact A vulnerability exists in the optional LZ4 decompression path used by MessagePack compression modes `Lz4Block` and `Lz4BlockArray`. The decoder implementation is based on a deprecated fast-decompression algorithm that does not take a source-length bound. A remote attacker can send a crafted MessagePack payload with manipulated LZ4 token/length fields to force out-of-bounds reads from the compressed input buffer. In affected environments, this can trigger an `AccessViolationException` during decompression, causing process termination (denial of service). Under some conditions, limited unintended memory disclosure from over-read data may also be possible before failure. This issue affects applications that deserialize untrusted data while LZ4 compression is enabled. ### Patches The v2 versions are patched as of 2.5.301. The v3 versions are patched as of 3.1.7. ### Workarounds Instead of upgrading, an application may take the following precautions: 1. Disable LZ4 compression for untrusted input paths (`Lz4Block`, `Lz4BlockArray`). 2. Only accept compressed payloads from strongly trusted producers. 3. Isolate deserialization in a separate process/container with restart supervision to limit availability impact. ### Resources - MESSAGEPACKCSHARP-010
如何修補 CVE-2026-48109
要修補 CVE-2026-48109,請將受影響套件升級到下列已修補版本。
- —升級至 2.5.301 或更新版本
CVE-2026-48109 正在被利用嗎?
目前沒有被利用訊號。CVE-2026-48109 既不在 CISA KEV 也沒有最新的 EPSS 分數。
受影響套件(1)
- from 0, < 2.5.301
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.2 | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H |