CVE-2026-10532
Object Injection in Logback Core via HardenedObjectInputStream
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: Switzerland Government Common Vulnerability Program
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| qos_ch_sarl | logback | to 1.5.33 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-502 | The product deserializes untrusted data without sufficiently ensuring that the resulting data will be valid. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a deserialization of untrusted data issue in the QOS.CH Sarl logback logback-core module, specifically in the HardenedObjectInputStream component.
An attacker who can influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects.
Although the deserialization process is heavily restricted and no practical way to achieve remote code execution or significant privilege escalation has been identified, this vulnerability bypasses the intended security restrictions.
How can this vulnerability impact me? :
The impact of this vulnerability is limited because no practical remote code execution or significant privilege escalation has been identified.
However, it allows an attacker to bypass the intended security restrictions by instantiating Proxy objects through manipulated serialized data.
The CVSS base score is 2.9, indicating a low severity impact.