CVE-2026-48515: 
NixOS 취약성 분석 및 완화

CVE-2026-48515 is a denial-of-service vulnerability in MessagePack for C# (MessagePack-CSharp) caused by unchecked dimension allocation in multi-dimensional array formatters. Disclosed on June 22, 2026, it affects all versions prior to 2.5.301 and versions 3.0.3 through 3.1.6 in the 3.x branch. A crafted MessagePack payload can trigger excessive heap memory allocation before element validation occurs, leading to memory exhaustion. It carries a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).

The root cause is CWE-770 (Allocation of Resources Without Limits or Throttling) in the TwoDimensionalArrayFormatter.Deserialize, ThreeDimensionalArrayFormatter.Deserialize, and FourDimensionalArrayFormatter.Deserialize methods. These formatters read dimension lengths directly from the attacker-controlled payload and allocate T[,], T[,,], or T[,,,] arrays before verifying that the product of declared dimensions matches the encoded element count. Because the guarded element array header is read after allocation, an attacker can supply a small payload encoding arbitrarily large dimension integers alongside an empty or minimal inner array, causing a disproportionately large heap allocation. Notably, MessagePackSecurity.UntrustedData does not provide a general allocation cap for this code path, leaving no built-in mitigation in unpatched versions (GitHub Advisory).

Successful exploitation causes out-of-memory exceptions, potential container termination on memory-constrained hosts, large object heap pressure, and severe CPU cost from zero-initializing oversized arrays — all resulting in denial of service. The vulnerability has no confidentiality or integrity impact; only availability is affected. Any application that deserializes untrusted MessagePack payloads into models containing multi-dimensional arrays (T[,], T[,,], or T[,,,]) is at risk, and repeated exploitation could render services persistently unavailable (GitHub Advisory).

1. Identify target: Locate a network-accessible service that accepts and deserializes MessagePack-encoded data into C# models containing multi-dimensional arrays (T[,], T[,,], or T[,,,]), running an unpatched version of MessagePack-CSharp (< 2.5.301 or 3.0.3–3.1.6).
2. Craft malicious payload: Construct a valid MessagePack-encoded message that declares a multi-dimensional array type (e.g., int[,]) with very large dimension values (e.g., dimensions of 100,000 × 100,000) while providing an empty or near-empty inner element array.
3. Transmit payload: Send the crafted payload to the target service endpoint that triggers deserialization of the multi-dimensional array type.
4. Trigger allocation: The vulnerable formatter reads the large dimension values from the payload and allocates the full multi-dimensional array on the heap (e.g., a 10 GB array) before checking whether the element count matches the declared dimensions.
5. Achieve denial of service: The excessive heap allocation causes an out-of-memory exception, container termination, or severe performance degradation, rendering the service unavailable. Repeated requests can sustain the denial-of-service condition (GitHub Advisory).

• Logs: Sudden OutOfMemoryException stack traces in application logs referencing TwoDimensionalArrayFormatter, ThreeDimensionalArrayFormatter, or FourDimensionalArrayFormatter during deserialization operations; repeated deserialization errors from the same source IP.
• Process/Runtime: Abnormal spike in .NET process memory consumption (e.g., dotnet process RSS growing rapidly to near system limits) coinciding with incoming MessagePack deserialization requests; large object heap (LOH) pressure visible in .NET runtime diagnostics or APM tools.
• Network: Unusual volume of small MessagePack-encoded requests to deserialization endpoints from a single or small set of source IPs; requests with payloads that are disproportionately small relative to the memory impact they cause.
• Infrastructure: Container or pod restarts due to OOMKilled events on memory-constrained hosts; host-level memory exhaustion alerts triggered during periods of low legitimate traffic.

Upgrade MessagePack-CSharp to version 2.5.301 (for the 2.x branch) or 3.1.7 (for the 3.x branch), which validate dimension values and their product against the encoded element count before allocation. If immediate patching is not possible, avoid deserializing untrusted MessagePack payloads into schemas containing multi-dimensional arrays; prefer bounded lists, dictionaries with application-level count limits, or jagged arrays with explicit limits. Implementing message-size limits at the network or application layer reduces blast radius but does not fully prevent allocation amplification from small payloads with large declared dimensions (GitHub Advisory).