CVE-2026-9828
Deserialization Bypass in logback-core
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qos.ch | logback | to 1.5.32 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a deserialization of untrusted data issue in the QOS.CH Sarl logback logback-core module, specifically in the HardenedObjectInputStream component.
An attacker who can influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from certain classes in the java.lang and java.util packages that are not explicitly blocked.
Although the deserialization process is heavily restricted and no practical way to achieve remote code execution or significant privilege escalation has been identified, this vulnerability bypasses the intended security restrictions.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass security restrictions by instantiating certain objects during deserialization.
However, since the deserialization is heavily restricted and no practical remote code execution or significant privilege escalation has been identified, the impact is limited.
The overall risk is low, as reflected by the CVSS base score of 1.2.