CVE-2026-11460
Deferred Deferred - Pending Action
Boost Serialization Type Confusion Vulnerability

Publication date: 2026-06-07

Last updated on: 2026-06-07

Assigner: VulDB

Description
A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-07
Last Modified
2026-06-07
Generated
2026-06-08
AI Q&A
2026-06-07
EPSS Evaluated
N/A
NVD
CVE-2026-11460
EUVD
EUVD-2026-34991
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
boost serialization to 1.91 (inc)
boost serialization to 1.89.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1287 The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type.
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-11460 is a vulnerability in the Boost Serialization library (versions 1.89.0 and below) that allows insecure deserialization of untrusted input, leading to type confusion and ownership confusion attacks.

These vulnerabilities can result in address leakage, arbitrary memory read, VTable hijacking, double free, denial-of-service, and arbitrary code execution.

The issue arises from the library's handling of pointers during serialization, which can be manipulated to reference arbitrary objects within the same archive. Type confusion occurs when two objects of different classes share the same memory, causing methods to operate on incorrect data types. Ownership confusion happens when pointers assumed to be unique are shared upon deserialization, leading to double-free vulnerabilities.

  • Type confusion leading to address leakage by manipulating serialized XML data.
  • Type confusion leading to VTable hijacking to redirect code execution.
  • Ownership confusion causing double-free or use-after-free vulnerabilities.
Impact Analysis

This vulnerability can have severe impacts depending on how the Boost Serialization library is used in your application.

  • It can lead to address leakage, exposing sensitive memory information.
  • It can allow arbitrary memory reads, potentially exposing confidential data.
  • It can enable VTable hijacking, allowing attackers to execute arbitrary code.
  • It can cause double-free or use-after-free conditions, leading to memory corruption and denial-of-service.

Overall, exploitation could result in denial-of-service or full compromise of the affected system.

Detection Guidance

This vulnerability involves insecure deserialization in the Boost Serialization library, which can be exploited by manipulating serialized data inputs. Detection typically requires monitoring for suspicious serialized data inputs or abnormal application behavior related to deserialization.

Since the vulnerability arises from deserialization of untrusted input, detection can involve inspecting serialized data for unexpected or malformed content, especially XML data if used, and monitoring application logs for crashes or unusual memory errors such as double-free or use-after-free.

No specific detection commands or signatures are provided in the available resources.

Mitigation Strategies

Currently, no patch or fix is available for this vulnerability as the maintainer has postponed addressing it indefinitely.

Immediate mitigation steps include:

  • Avoid deserializing untrusted or unauthenticated input data using the Boost Serialization library.
  • Implement strict input validation and sanitization on all serialized data before deserialization.
  • Consider isolating or sandboxing applications that use Boost Serialization to limit the impact of potential exploitation.
  • Monitor application behavior for signs of exploitation such as crashes, memory corruption, or unexpected behavior.

Long term, plan to update or replace the Boost Serialization library once a patch or safer alternative becomes available.

Compliance Impact

The vulnerability in Boost Serialization allows insecure deserialization of untrusted input, which can lead to arbitrary code execution, denial-of-service, and memory corruption. Such security weaknesses can potentially result in unauthorized access to sensitive data or system compromise.

Because of these risks, organizations using the affected Boost Serialization versions may face challenges in maintaining compliance with standards and regulations like GDPR and HIPAA, which require protecting data confidentiality, integrity, and availability.

Specifically, exploitation of this vulnerability could lead to data breaches or system disruptions that violate regulatory requirements for safeguarding personal or health information.

However, the exact impact on compliance depends on the context of how the vulnerable library is used within an application and the presence of other mitigating controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11460. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart