CVE-2026-48516: 
NixOS 취약성 분석 및 완화

CVE-2026-48516 is a hash-collision CPU denial-of-service vulnerability in MessagePack for C# (MessagePack-CSharp), a popular MessagePack serializer library. The flaw exists in the InterfaceLookupFormatter<TKey,TElement> component, which incorrectly uses the default equality comparer instead of the security-aware comparer configured via options.Security.GetEqualityComparer<TKey>(), bypassing the application's explicitly configured untrusted-data security posture. Affected versions include all releases prior to 2.5.301 (v2 line) and 3.0.3 through 3.1.6 (v3 line); fixed versions are 2.5.301 and 3.1.7. The vulnerability was published on June 22, 2026, with patches coordinated by maintainer AArnott. It carries a CVSS v3.1 base score of 7.5 (High) and a CVSS v4.0 base score of 6.3 (Medium) (GitHub Advisory).

The root cause is classified as CWE-407 (Inefficient Algorithmic Complexity): InterfaceLookupFormatter constructs an internal Dictionary<TKey, IGrouping<TKey,TElement>> using the default .NET equality comparer rather than the collision-resistant comparer provided by options.Security.GetEqualityComparer<TKey>(). All sibling dictionary and lookup formatters in the library correctly use the security-aware comparer when MessagePackSecurity.UntrustedData is configured, but this formatter was overlooked. An attacker who can supply crafted MessagePack-serialized data with many hash-colliding keys can degrade dictionary insertion from amortized O(1) to O(n²) behavior, consuming disproportionate CPU time. Exploitation requires that the target application deserializes untrusted payloads into schemas containing ILookup<TKey,TElement> with a key type susceptible to attacker-controlled hash collisions (GitHub Advisory).

Successful exploitation results in excessive CPU consumption on the affected server, leading to service degradation or complete unavailability (denial of service). There is no impact on confidentiality or data integrity — the vulnerability is purely an availability issue. The attack is particularly insidious because it bypasses a security mitigation (MessagePackSecurity.UntrustedData) that developers deliberately enabled to protect against exactly this class of attack, meaning applications believed to be hardened may still be vulnerable (GitHub Advisory).

1. Reconnaissance: Identify applications that use MessagePack for C# (versions prior to 2.5.301 or 3.0.3–3.1.6) and accept untrusted MessagePack-serialized input over a network endpoint, particularly those deserializing into schemas containing ILookup<TKey,TElement>.
2. Craft colliding keys: Generate a large set of keys with identical hash codes under the default .NET equality comparer for the target key type (e.g., strings with known hash collision patterns in the target runtime).
3. Construct malicious payload: Serialize a MessagePack message containing a lookup structure (ILookup) with the crafted colliding keys, producing a valid but adversarial binary payload.
4. Submit payload: Send the crafted MessagePack payload to the target application's deserialization endpoint (e.g., an API endpoint, message queue consumer, or RPC handler).
5. Trigger DoS: The InterfaceLookupFormatter inserts the colliding keys into an unprotected Dictionary, causing O(n²) insertion behavior and sustained high CPU consumption, degrading or crashing the service (GitHub Advisory).

• Network: Repeated or sustained requests to API endpoints that accept MessagePack-encoded bodies, particularly with unusually large or structurally complex payloads targeting lookup-typed fields.
• Process/System: Sustained high CPU utilization on the application server process (e.g., dotnet worker process) without a corresponding increase in legitimate traffic or business logic load.
• Logs: Application logs showing slow or timed-out deserialization operations; exceptions or timeouts originating from MessagePack deserialization code paths involving ILookup types.
• Application Metrics: Sudden spike in request processing latency or thread pool exhaustion correlated with receipt of specific MessagePack-encoded messages.

The primary remediation is to upgrade MessagePack for C# to version 2.5.301 (v2 line) or 3.1.7 (v3 line), which fix the InterfaceLookupFormatter to use options.Security.GetEqualityComparer<TKey>() when constructing the internal dictionary. All companion MessagePack packages in the same dependency graph should be upgraded to coordinated patched versions simultaneously. As a temporary workaround prior to patching, avoid exposing ILookup<TKey,TElement> in DTOs that deserialize untrusted data — use collection types already protected by the security-aware comparer path, or enforce collection size limits at the transport boundary (GitHub Advisory).