Visit NES for .NET Home Page
MessagePack Release Notes
Comprehensive release notes and changelog for MessagePack, including security patches, bug fixes, and feature updates across all supported versions.
3 Patched Vulnerabilities
VEX Statements
2.5.192.x Releases
2.5.192.2 (NES)
Notes
- This release keeps NES for MessagePack on the
2.5.192.xline while backporting LZ4 decompression hardening for CVE-2026-48109.
Security Fixes
- LZ4 decompression: Adds bounds checks for crafted LZ4 payloads that could trigger out-of-bounds reads and an
AccessViolationExceptiondenial of service when deserializing untrusted data with LZ4 compression enabled.- This fixes a high-severity MessagePack LZ4 denial-of-service vulnerability (CVE-2026-48109, GHSA-hv8m-jj95-wg3x).