CVE-2020-11105
Description
Cereal's std::shared_ptr serialization uses raw pointer addresses as unique keys, causing data mismatches when freed pointers are reused.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Cereal's std::shared_ptr serialization uses raw pointer addresses as unique keys, causing data mismatches when freed pointers are reused.
Vulnerability
Cereal before version 1.3.0 has a design flaw in its serialization of std::shared_ptr objects: it caches shared pointers using the raw memory address as a unique identifier [1]. This means that if a std::shared_ptr goes out of scope and is freed, and a new std::shared_ptr is allocated at the same memory address, the serializer treats the new pointer as identical to the old one. Consequently, serialization fidelity becomes dependent on memory layout rather than the actual object values [1].
Exploitation
An attacker does not need special privileges; the issue arises automatically during serialization and deserialization with cereal. The scenario occurs when multiple std::shared_ptr objects are serialized and some go out of scope before new ones are created. A simple program demonstrates that serializing true then false with overlapping addresses results in deserializing both as true [1]. No user interaction beyond running the affected code is required.
Impact
Successful exploitation leads to data corruption: deserialized std::shared_ptr values may not match the originally serialized values [1]. This breaks data integrity, potentially causing incorrect program behavior depending on the context. Information disclosure or code execution is not directly achievable, but the bug undermines reliability when std::shared_ptr semantics rely on correct round-tripping.
Mitigation
Cereal version 1.3.1 or later is expected to contain a fix, but the GitHub issue [1] remains open as of the reference date. Users should update to the latest release when available. Until then, avoid serializing std::shared_ptr objects that might go out of scope before new ones are created, or use manual tracking to ensure unique addresses.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
3- USC iLab/cerealdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The cereal library caches std::shared_ptr values using the raw pointer address as a unique identifier, causing deserialization to incorrectly treat a newly allocated pointer at a freed address as a duplicate of the original."
Attack vector
An attacker who can control the order in which `std::shared_ptr` objects are serialized and deserialized can exploit the caching behavior. When a `std::shared_ptr` goes out of scope and is freed, a new `std::shared_ptr` may be allocated at the same raw address. The serializer treats the new pointer as a duplicate of the old one due to address-based caching, causing the deserialized value to be incorrect. This is a logic error in the serialization fidelity [ref_id=1].
Affected code
The issue is in the cereal library's caching mechanism for `std::shared_ptr` values, which uses the raw pointer address as a unique identifier. This affects the serialization logic in cereal's memory management headers (`cereal/types/memory.hpp`).
What the fix does
The advisory does not include a patch. The recommended fix would be to change the caching mechanism for `std::shared_ptr` to use a unique identifier that is not based solely on the raw pointer address, such as a monotonically increasing counter or a combination of the pointer and a generation counter, so that freed and reallocated pointers are not incorrectly treated as the same object.
Preconditions
- inputThe attacker must be able to influence the lifetime and allocation order of std::shared_ptr objects being serialized.
- configThe application must use cereal's serialization for std::shared_ptr types.
Generated on May 31, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- github.com/USCiLab/cereal/issues/636mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.