CVE-2026-44375: Nerdbank.MessagePack: Attacker-controlled stackalloc in DateTime decoding causes process-terminating StackOverflowException
Nerdbank.MessagePack contains an uncontrolled stack allocation vulnerability in DateTime decoding. A malicious MessagePack payload can declare an oversized timestamp extension length, causing the reader to allocate an attacker-controlled number of bytes on the stack. This can trigger a StackOverflowException, which is not catchable by user code and terminates the process.
References
- github.com/AArnott/Nerdbank.MessagePack
- github.com/AArnott/Nerdbank.MessagePack/commit/7d1eb319cfabe7280e70699946c9a48579fa2f30
- github.com/AArnott/Nerdbank.MessagePack/pull/941
- github.com/AArnott/Nerdbank.MessagePack/releases/tag/v1.1.62
- github.com/AArnott/Nerdbank.MessagePack/security/advisories/GHSA-2cwq-pwfr-wcw3
- github.com/advisories/GHSA-2cwq-pwfr-wcw3
- github.com/msgpack/msgpack/blob/master/spec.md
- nvd.nist.gov/vuln/detail/CVE-2026-44375
Code Behaviors & Features
Detect and mitigate CVE-2026-44375 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →