GHSA-w567-gjr2-hm5j: MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
## Summary `UnsafeBlitFormatterBase<T>.Deserialize` reads an attacker-controlled `byteLength` from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner `byteLength` before allocation. A very small payload can therefore request a very large `T[]` allocation. ## Impact Applications are affected when they deserialize untrusted payloads using Unity blit resolvers such as `UnityBlitResolver` or `UnityBlitWithPrimitiveArrayResolver`. This is especially relevant to Unity multiplayer clients or servers that use MessagePack-CSharp for networked values such as vectors, matrices, or primitive arrays. A hostile peer can send an extension payload with a large declared byte length and cause an out-of-memory exception or process termination on memory-constrained platforms. The resolver is opt-in, but the vulnerable value is pure wire input and the allocation happens before the formatter verifies that the declared bytes are actually present in the extension body. ## Affected components - Package: `MessagePack.UnityClient` - Resolvers: `UnityBlitResolver`, `UnityBlitWithPrimitiveArrayResolver` - API: `UnsafeBlitFormatterBase<T>.Deserialize` - Finding IDs: `MESSAGEPACKCSHARP-080`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-010` ## Patches Fixes are prepared and will be released in coordinated patch versions. Upgrade guidance: 1. Upgrade `MessagePack.UnityClient` to the patched version for your release line. 2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions. The fix should validate `byteLength` before allocation. It should reject negative lengths, lengths greater than the extension body length after metadata, and lengths that are not a valid multiple of the element size. ## Workarounds Patching is recommended. Until a patched version is available, do not use Unity blit resolvers on data received from untrusted peers. Use safer resolvers or explicitly validate and size-limit messages before deserialization. ## Resources - `MESSAGEPACKCSHARP-080`: unsafe blit formatter allocation from unbounded byte length - `MESSAGEPACKCSHARP-OPEN-010`: duplicate/open finding for the same root cause - CWE-770: Allocation of Resources Without Limits or Throttling
GHSA-w567-gjr2-hm5j: MessagePack-CSharp: Unity unsafe blit formatter allocates from unbounded byte length
Description
## Summary `UnsafeBlitFormatterBase<T>.Deserialize` reads an attacker-controlled `byteLength` from an extension payload and allocates an array based on that value before validating it against the extension header length or remaining payload bytes. The outer extension header is bounded by available input, but that bound is not used to constrain the inner `byteLength` before allocation. A very small payload can therefore request a very large `T[]` allocation. ## Impact Applications are affected when they deserialize untrusted payloads using Unity blit resolvers such as `UnityBlitResolver` or `UnityBlitWithPrimitiveArrayResolver`. This is especially relevant to Unity multiplayer clients or servers that use MessagePack-CSharp for networked values such as vectors, matrices, or primitive arrays. A hostile peer can send an extension payload with a large declared byte length and cause an out-of-memory exception or process termination on memory-constrained platforms. The resolver is opt-in, but the vulnerable value is pure wire input and the allocation happens before the formatter verifies that the declared bytes are actually present in the extension body. ## Affected components - Package: `MessagePack.UnityClient` - Resolvers: `UnityBlitResolver`, `UnityBlitWithPrimitiveArrayResolver` - API: `UnsafeBlitFormatterBase<T>.Deserialize` - Finding IDs: `MESSAGEPACKCSHARP-080`, duplicate/open variant `MESSAGEPACKCSHARP-OPEN-010` ## Patches Fixes are prepared and will be released in coordinated patch versions. Upgrade guidance: 1. Upgrade `MessagePack.UnityClient` to the patched version for your release line. 2. Upgrade companion MessagePack packages in the same dependency graph to the coordinated patched versions. The fix should validate `byteLength` before allocation. It should reject negative lengths, lengths greater than the extension body length after metadata, and lengths that are not a valid multiple of the element size. ## Workarounds Patching is recommended. Until a patched version is available, do not use Unity blit resolvers on data received from untrusted peers. Use safer resolvers or explicitly validate and size-limit messages before deserialization. ## Resources - `MESSAGEPACKCSHARP-080`: unsafe blit formatter allocation from unbounded byte length - `MESSAGEPACKCSHARP-OPEN-010`: duplicate/open finding for the same root cause - CWE-770: Allocation of Resources Without Limits or Throttling
CVSS v4.0
Affected software
Run on your own infrastructure? Check whether these packages are installed with threat-finder — our free open-source scanner.
Weaknesses
Technical Details
- Gcve Source
- db.gcve.eu
- Osv Id
- GHSA-w567-gjr2-hm5j
- Osv Schema Version
- 1.4.0
- Aliases
- ["CVE-2026-48514"]
- Ecosystems
- ["NuGet"]
- Database Specific Severity
- MODERATE
- Cvss Version
- 4.0
Threat ID: 6a3ef7f427e9c79719036f9b
Added to database: 06/26/2026, 22:06:44 UTC
Last updated: 06/26/2026, 22:06:44 UTC
Views: 1
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.