CVE-2026-9521
Deferred Deferred - Pending Action
Improper Input Validation in Bitsery Library

Publication date: 2026-05-26

Last updated on: 2026-05-26

Assigner: VulDB

Description
A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-05-26
Generated
2026-06-15
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-9521
EUVD
EUVD-2026-31780
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
fraillt bitsery to 5.2.5 (exc)
fraillt bitsery From 5.2.0 (inc) to 5.2.5 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-9521 is a security vulnerability in the bitsery library (up to version 5.2.4) involving insecure deserialization of untrusted input. Specifically, the function loadFromSharedState in the shared pointer handling code allows improper validation of the input type, leading to type confusion.

This vulnerability arises because the library performs shallow copies of shared pointers without proper type checking during deserialization. An attacker can manipulate pointers to reference objects of different types within the same archive, bypassing protections like ASLR and accessing or corrupting memory.

The issue can lead to address leakage, arbitrary memory reads, VTable hijacking, denial-of-service, and potentially arbitrary code execution. The vulnerability can be exploited remotely.

Impact Analysis

This vulnerability can have serious impacts including unauthorized memory access and control over program execution.

  • Address leakage - exposing sensitive memory addresses.
  • Arbitrary memory read - reading memory contents without authorization.
  • VTable hijacking - redirecting virtual function calls to malicious code.
  • Denial-of-service - causing the application to crash or become unresponsive.
  • Potential arbitrary code execution - allowing attackers to run malicious code remotely.
Detection Guidance

This vulnerability involves insecure deserialization of shared polymorphic pointers in the bitsery library, which can be exploited remotely by sending crafted payloads that manipulate shared pointers during deserialization.

Detection on a network or system would involve monitoring for unusual or suspicious deserialization activity involving the bitsery library, especially payloads that attempt to manipulate shared pointers or cause type confusion.

No specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

The primary mitigation step is to upgrade the bitsery library to version 5.2.5 or later, where the vulnerability has been fixed.

The fix includes improved type checking during deserialization of shared polymorphic pointers to prevent type confusion and invalid pointer assignments.

Until the upgrade can be applied, avoid deserializing untrusted input using the affected versions of the bitsery library.

Compliance Impact

The provided information does not explicitly address how CVE-2026-9521 affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-9521. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart