VYPR
← All advisories
Low severityNVD Advisory· Published May 28, 2026

CVE-2026-9828

CVE-2026-9828

Description

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.

This issue affects logback: through 1.5.32 inclusive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Deserialization bypass in logback-core's `HardenedObjectInputStream` allows restricted object injection via `SimpleSocketServer`/`SimpleSSLSocketServer`, but no practical exploit is known.

Vulnerability

The vulnerability resides in logback-core's HardenedObjectInputStream mechanism, which is intended to restrict deserialization. However, when deserializing data received by SimpleSocketServer or SimpleSSLSocketServer, it fails to block classes from java.lang and java.util packages that are not explicitly forbidden. This allows injection of objects from those packages if an attacker can control the serialized input. The issue affects logback versions through 1.5.32 inclusive.

Exploitation

An attacker must have network access to a logback instance running SimpleSocketServer or SimpleSSLSocketServer and be able to supply crafted serialized data. By sending a serialized object that instantiates a class from the java.lang or java.util packages not on the block list, the attacker triggers object instantiation. No authentication or user interaction is required, though the attacker's control over the serialized stream is limited by the HardenedObjectInputStream restrictions.

Impact

A successful exploit allows the attacker to instantiate arbitrary java.lang and java.util objects that are not explicitly blocked. However, due to the heavy restriction imposed by HardenedObjectInputStream, no path to remote code execution or significant privilege escalation has been identified. The issue constitutes a bypass of the intended security restrictions, but the practical impact is limited (Low severity).

Mitigation

The issue is addressed in logback version 1.5.33, as indicated by the release announcement [1]. Users should upgrade to 1.5.33 or later. No workaround is documented in the available references. For end-of-life branches (1.3.x and 1.4.x), no fix is provided.

References
  1. News

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Qos Ch/Logbackinferred2 versions
    <=1.5.32+ 1 more
    • (no CPE)range: <=1.5.32
    • (no CPE)range: <=1.5.32

Patches

0

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.