CVE-2026-11460 - Vulnerability Details

- Boost Serialization improper validation of specified type of input

Description

A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.

Published: 2026-06-07

Score: 6.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in Boost Serialization up to version 1.91 causes improper validation of the specified type of input. When a deserialization operation processes data that has not been correctly validated, an attacker could introduce crafted serialized payloads that may manipulate the internal behavior of the library. The impact is not explicitly defined in the CVE description, but the presence of an available exploit indicates that the vulnerability can result in unintended execution of code or other damaging actions depending on how the data is handled by the application.

Affected Systems

All installations of Boost Serialization through version 1.91 are vulnerable. The issue is tied to the library as a whole rather than to a specific component, so any application that performs deserialization of data using Boost Serialization in this version range is at risk.

Risk and Exploitability

The CVSS score of 6.3 reflects moderate severity, and while no EPSS score is available, the exploit has already been published, underscoring the potential for exploitation. The vulnerability is not listed in the CISA KEV catalog, but the lack of a patch and the remote nature of the attack mean that a threat actor could target exposed services that perform deserialization. The principal risk is the continued exposure of systems that process untrusted serialized input without applying the necessary validation controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Boost

Serialization

affected

Version	Status	Constraints
`1.0`	affected	—
`1.1`	affected	—
`1.2`	affected	—
`1.3`	affected	—
`1.4`	affected	—
`1.5`	affected	—
`1.6`	affected	—
`1.7`	affected	—
`1.8`	affected	—
`1.9`	affected	—
`1.10`	affected	—
`1.11`	affected	—
`1.12`	affected	—
`1.13`	affected	—
`1.14`	affected	—
`1.15`	affected	—
`1.16`	affected	—
`1.17`	affected	—
`1.18`	affected	—
`1.19`	affected	—
`1.20`	affected	—
`1.21`	affected	—
`1.22`	affected	—
`1.23`	affected	—
`1.24`	affected	—
`1.25`	affected	—
`1.26`	affected	—
`1.27`	affected	—
`1.28`	affected	—
`1.29`	affected	—
`1.30`	affected	—
`1.31`	affected	—
`1.32`	affected	—
`1.33`	affected	—
`1.34`	affected	—
`1.35`	affected	—
`1.36`	affected	—
`1.37`	affected	—
`1.38`	affected	—
`1.39`	affected	—
`1.40`	affected	—
`1.41`	affected	—
`1.42`	affected	—
`1.43`	affected	—
`1.44`	affected	—
`1.45`	affected	—
`1.46`	affected	—
`1.47`	affected	—
`1.48`	affected	—
`1.49`	affected	—
`1.50`	affected	—
`1.51`	affected	—
`1.52`	affected	—
`1.53`	affected	—
`1.54`	affected	—
`1.55`	affected	—
`1.56`	affected	—
`1.57`	affected	—
`1.58`	affected	—
`1.59`	affected	—
`1.60`	affected	—
`1.61`	affected	—
`1.62`	affected	—
`1.63`	affected	—
`1.64`	affected	—
`1.65`	affected	—
`1.66`	affected	—
`1.67`	affected	—
`1.68`	affected	—
`1.69`	affected	—
`1.70`	affected	—
`1.71`	affected	—
`1.72`	affected	—
`1.73`	affected	—
`1.74`	affected	—
`1.75`	affected	—
`1.76`	affected	—
`1.77`	affected	—
`1.78`	affected	—
`1.79`	affected	—
`1.80`	affected	—
`1.81`	affected	—
`1.82`	affected	—
`1.83`	affected	—
`1.84`	affected	—
`1.85`	affected	—
`1.86`	affected	—
`1.87`	affected	—
`1.88`	affected	—
`1.89`	affected	—
`1.90`	affected	—
`1.91`	affected	—

No data.

Vendor Product Confidence Versions

Boost

Serialization

95%

Version	Status	Scheme	Platform
`[1.0,1.91]`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to a Boost Serialization release newer than 1.91 if one is available to eliminate the flaw.
Implement stringent checks to ensure that only trusted and expected types are deserialized; avoid deserializing data received from untrusted external sources.
Add explicit input validation or filtering before invoking Boost Serialization deserialization to detect and reject malformed or unexpected payloads.
Apply network-level controls to limit access to services that accept serialized data, reducing the attack surface.

Generated by OpenCVE AI on June 7, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.00311.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75
https://github.com/boostorg/serialization/issues/331
https://vuldb.com/cve/CVE-2026-11460
https://vuldb.com/submit/814455
https://vuldb.com/vuln/369080
https://vuldb.com/vuln/369080/cti

History

Mon, 08 Jun 2026 14:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Sun, 07 Jun 2026 20:00:00 +0000

Type	Values Removed	Values Added
Description		A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.
Title		Boost Serialization improper validation of specified type of input
First Time appeared		Boost Boost serialization
Weaknesses		CWE-1287 CWE-20
CPEs		cpe:2.3:a:boost:serialization::::::::
Vendors & Products		Boost Boost serialization
References		https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75 https://github.com/boostorg/serialization/issues/331 https://vuldb.com/cve/CVE-2026-11460 https://vuldb.com/submit/814455 https://vuldb.com/vuln/369080 https://vuldb.com/vuln/369080/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Boost Serialization

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-06-07T19:30:10.324Z

Updated: 2026-06-08T13:45:44.206Z

Reserved: 2026-06-07T07:25:46.611Z

Link: CVE-2026-11460

Vulnrichment

Updated: 2026-06-08T13:45:40.442Z

NVD

Status : Deferred

Published: 2026-06-07T20:16:39.993

Modified: 2026-06-08T14:57:14.757

Link: CVE-2026-11460

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-07T22:45:09Z

Weaknesses

CWE-1287
Improper Validation of Specified Type of Input
CWE-20
Improper Input Validation

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object