CVE-2026-48514: MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length

June 25, 2026

UnsafeBlitFormatterBase<T>.Deserialize reads an attacker-controlled byteLength from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes.

The outer extension header is bounded by available input, but that bound is not used to constrain the inner byteLength before allocation. A very small payload can therefore request a very large T[] allocation.

References

github.com/MessagePack-CSharp/MessagePack-CSharp/security/advisories/GHSA-w567-gjr2-hm5j
github.com/advisories/GHSA-w567-gjr2-hm5j
nvd.nist.gov/vuln/detail/CVE-2026-48514

Code Behaviors & Features

Detect and mitigate CVE-2026-48514 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →