Memory Allocation with Excessive Size Value Affecting nerdbank.messagepack package, versions [,1.1.62)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-DOTNET-NERDBANKMESSAGEPACK-16638652
- published11 May 2026
- disclosed6 May 2026
- creditUnknown
Introduced: 6 May 2026
CVE-2026-44375 (opens in a new tab)How to fix?
Upgrade Nerdbank.MessagePack to version 1.1.62 or higher.
Overview
Nerdbank.MessagePack is an A modern, fast and NativeAOT-compatible MessagePack serialization library
Affected versions of this package are vulnerable to Memory Allocation with Excessive Size Value the TryRead timestamp decoder in MessagePackPrimitives.Readers.cs. An attacker can crash deserialization by supplying a DateTime extension header with an excessively large length. The reader converts the extension length to an int with checked((int)header.Length), so a crafted timestamp header can trigger an exception while parsing untrusted MessagePack data and prevent the application from processing the payload.