CVE-2026-11460
Description
Boost Serialization up to 1.91 is vulnerable to insecure deserialization, potentially leading to type confusion, memory corruption, and arbitrary code execution.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Boost Serialization up to 1.91 is vulnerable to insecure deserialization, potentially leading to type confusion, memory corruption, and arbitrary code execution.
Vulnerability
A flaw exists in Boost Serialization up to version 1.91, specifically in versions 1.89.0 and below [1, 2]. The vulnerability stems from improper validation of deserialized input, which can lead to type confusion and ownership confusion under certain conditions [1]. The maintainer was notified in August 2025, but a patch is not yet available, and the disclosure deadline has expired [2].
Exploitation
An attacker can exploit this vulnerability remotely by providing untrusted serialized input to an application that uses the Boost Serialization library [1]. The exploitability and impact are highly dependent on the application's code and how it handles deserialized objects. Specific attack vectors include deserializing pointers to arbitrary objects, leading to type confusion, ownership confusion, and potential memory corruption [1].
Impact
Successful exploitation can result in various impacts, including address leakage, arbitrary memory read, VTable hijacking, double free, denial-of-service, and arbitrary code execution [1]. The scope of the compromise depends on the privileges of the application processing the serialized data. Type confusion can occur when objects of different classes share memory, and ownership confusion can arise from violations of ownership models, potentially leading to double-free vulnerabilities [1].
Mitigation
No patch is currently available for this vulnerability, and the maintainer has indefinitely postponed its development [2]. Users are advised to be cautious when deserializing untrusted input. The library versions affected are 1.89.0 and below [1, 2].
AI Insight generated on Jun 7, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2(expand)+ 1 more
- (no CPE)
- (no CPE)range: <=1.91
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Improper validation of input during deserialization allows for type and ownership confusion."
Attack vector
An attacker can craft a malicious serialized input, such as an XML archive, to exploit vulnerabilities in Boost Serialization. By manipulating object IDs and tracking levels, an attacker can cause deserialized objects of different types to share the same memory space. This can lead to address leakage, arbitrary memory reads, VTable hijacking, double frees, and potentially arbitrary code execution, depending on the application's code [ref_id=1]. The attack can be initiated remotely.
Affected code
The vulnerability lies within the Boost Serialization library, specifically in how it handles the deserialization of pointers and manages object ownership. The reference write-up details issues in functions related to pointer deserialization and tracking, which are susceptible to type and ownership confusion attacks [ref_id=1].
What the fix does
No patch is currently available for this vulnerability. The advisory suggests implementing checks during deserialization to verify that the expected class matches the object reference, particularly in functions like basic_iarchive_impl::load_pointer or basic_iarchive_impl::track. For polymorphic types, this may involve traversing inheritance relationships. Additionally, for ownership confusion, it is recommended to prevent unique_ptr from being referenced by other unique_ptrs by maintaining a record of uniquely owned addresses and flagging attempts to re-reference as errors [ref_id=1].
Preconditions
- inputThe application must deserialize untrusted input using Boost Serialization.
- networkThe attack can be initiated remotely.
Generated on Jun 7, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6News mentions
0No linked articles in our index yet.