CVE-2026-48514: 
NixOS 취약성 분석 및 완화

CVE-2026-48514 is a Denial of Service vulnerability in MessagePack for C# (MessagePack-CSharp) caused by unbounded memory allocation during deserialization. The UnsafeBlitFormatterBase<T>.Deserialize method reads an attacker-controlled byteLength from an extension payload and allocates a T[] array based on that value before validating it against the actual extension header length or remaining payload bytes. This allows a tiny crafted payload to trigger an arbitrarily large memory allocation. Affected versions include all releases prior to 2.5.301 (v2.x branch) and 3.0.3 through 3.1.6 (v3.x branch); fixed versions are 2.5.301 and 3.1.7. The vulnerability carries a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).

The root cause is classified as CWE-770 (Allocation of Resources Without Limits or Throttling). The vulnerable code path exists in UnsafeBlitFormatterBase<T>.Deserialize, which is used by Unity blit resolvers (UnityBlitResolver, UnityBlitWithPrimitiveArrayResolver) in the MessagePack.UnityClient package. When deserializing a MessagePack extension payload, the method reads a byteLength field from the inner payload data and immediately allocates a T[] array of that declared size; the outer extension header is bounded by available input, but this bound is never applied to constrain byteLength before the allocation occurs. An attacker can craft a minimal-size MessagePack extension payload with a byteLength field set to a very large value (e.g., near Int32.MaxValue), causing the runtime to attempt allocation of a massive array and triggering an out-of-memory exception or process termination (GitHub Advisory).

Successful exploitation results in a Denial of Service — specifically, an out-of-memory exception or process termination on the affected host. There is no impact to confidentiality or integrity; the vulnerability is purely an availability issue. Applications most at risk are Unity multiplayer clients or servers that deserialize untrusted network payloads containing vectors, matrices, or primitive arrays using the affected blit resolvers, as a single hostile peer can exhaust system memory and deny service to all legitimate users (GitHub Advisory).

1. Identify target: Locate a Unity multiplayer application (client or server) that uses MessagePack-CSharp with UnityBlitResolver or UnityBlitWithPrimitiveArrayResolver to deserialize network data from peers.
2. Craft malicious payload: Construct a valid MessagePack extension payload where the inner byteLength field is set to a very large integer value (e.g., close to Int32.MaxValue or 2^30) while keeping the actual payload body minimal (e.g., just a few bytes).
3. Transmit payload: Send the crafted MessagePack message to the target over the network channel used by the application (e.g., UDP/TCP game networking socket), impersonating a legitimate peer if necessary.
4. Trigger allocation: The UnsafeBlitFormatterBase<T>.Deserialize method reads the attacker-supplied byteLength and attempts to allocate a T[] array of that size before any bounds check, exhausting available memory.
5. Achieve DoS: The target process throws an OutOfMemoryException or is terminated by the OS, denying service to legitimate users (GitHub Advisory).

• Logs: Application logs showing repeated OutOfMemoryException or System.OutOfMemoryException stack traces originating from UnsafeBlitFormatterBase<T>.Deserialize or MessagePack deserialization code paths.
• Process Behavior: Sudden spike in managed heap memory consumption by the Unity or .NET process immediately following receipt of a network message, followed by process crash or restart.
• Network: Unusually small inbound MessagePack extension payloads (a few bytes) arriving on game networking ports from unexpected or new peer addresses, particularly if correlated with application crashes.
• System: Operating system-level out-of-memory kill events (e.g., Linux OOM killer logs, Windows application crash event logs) associated with the affected Unity application process.

Upgrade MessagePack.UnityClient (and companion MessagePack packages) to version 2.5.301 (for the 2.x branch) or 3.1.7 (for the 3.x branch), which validate byteLength before allocation — rejecting negative lengths, lengths exceeding the extension body, and lengths that are not a valid multiple of the element size. As a temporary workaround if immediate patching is not possible, avoid using UnityBlitResolver or UnityBlitWithPrimitiveArrayResolver on data received from untrusted peers; use safer resolvers or explicitly validate and enforce size limits on incoming messages before deserialization. Monitoring memory usage for abnormal allocation spikes can help detect exploitation attempts in the interim (GitHub Advisory).