CVE-2026-9521
Improper Input Validation in Bitsery Library
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| fraillt | bitsery | to 5.2.5 (exc) |
| fraillt | bitsery | From 5.2.0 (inc) to 5.2.5 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-9521 is a security vulnerability in the bitsery library (up to version 5.2.4) involving insecure deserialization of untrusted input. Specifically, the function loadFromSharedState in the shared pointer handling code allows improper validation of the input type, leading to type confusion.
This vulnerability arises because the library performs shallow copies of shared pointers without proper type checking during deserialization. An attacker can manipulate pointers to reference objects of different types within the same archive, bypassing protections like ASLR and accessing or corrupting memory.
The issue can lead to address leakage, arbitrary memory reads, VTable hijacking, denial-of-service, and potentially arbitrary code execution. The vulnerability can be exploited remotely.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized memory access and control over program execution.
- Address leakage - exposing sensitive memory addresses.
- Arbitrary memory read - reading memory contents without authorization.
- VTable hijacking - redirecting virtual function calls to malicious code.
- Denial-of-service - causing the application to crash or become unresponsive.
- Potential arbitrary code execution - allowing attackers to run malicious code remotely.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves insecure deserialization of shared polymorphic pointers in the bitsery library, which can be exploited remotely by sending crafted payloads that manipulate shared pointers during deserialization.
Detection on a network or system would involve monitoring for unusual or suspicious deserialization activity involving the bitsery library, especially payloads that attempt to manipulate shared pointers or cause type confusion.
No specific detection commands or signatures are provided in the available resources.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the bitsery library to version 5.2.5 or later, where the vulnerability has been fixed.
The fix includes improved type checking during deserialization of shared polymorphic pointers to prevent type confusion and invalid pointer assignments.
Until the upgrade can be applied, avoid deserializing untrusted input using the affected versions of the bitsery library.