CVE-2026-9521 - Vulnerability Details

Description

A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.

Published: 2026-05-26

Score: 6.3 Medium

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises from improper type validation in the loadFromSharedState function of the Fraillt bitsery library. When an attacker supplies crafted serialized data that the function accepts as a valid instance of a shared pointer type, the library may read or write memory incorrectly. This flaw can lead to memory corruption and potentially allow arbitrary code execution, compromising the confidentiality, integrity, and availability of the host application.

Affected Systems

The affected product is the Fraillt bitsery serialization library, on versions up to and including 5.2.4. The component impacted is include/bitsery/ext/std_smart_ptr.h. The issue is fixed in release 5.2.5, which incorporates the commit 66d16516e24893bebc1c8af52bf2fe9ad0735061. Any installation of 5.2.5 or later is immune.

Risk and Exploitability

The CVSS score of 6.3 classifies the flaw as medium severity. No EPSS score is available, so exploitation likelihood cannot be quantified, but the vulnerability has been publicly disclosed and can be exploited remotely. The KEV catalog does not list it. The likely attack vector is by an attacker supplying malicious serialized data over a network to an application that calls loadFromSharedState, often through an untrusted deserialization endpoint. Based on the description, it is inferred that remote exposure of this function creates the opportunity for exploitation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fraillt

bitsery

affected

Version	Status	Constraints
`5.2.0`	affected	—
`5.2.1`	affected	—
`5.2.2`	affected	—
`5.2.3`	affected	—
`5.2.4`	affected	—
`5.2.5`	unaffected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Fraillt bitsery library to v5.2.5 or later, which includes the fix for loadFromSharedState type validation.
If an upgrade is not immediately possible, restrict calls to loadFromSharedState to internal or trusted data sources and avoid feeding untrusted network payloads.
If a patch cannot be applied, consider applying the individual commit 66d16516e24893bebc1c8af52bf2fe9ad0735061 or manually reviewing the source to enforce stronger type validation before deserialization.

Generated by OpenCVE AI on May 26, 2026 at 03:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://gist.github.com/TrebledJ/750abc64a826f19dd2d6774724629b71
https://github.com/fraillt/bitsery/
https://github.com/fraillt/bitsery/blob/master/CHANGELOG.md#525-2025-10-09
https://github.com/fraillt/bitsery/commit/66d16516e24893bebc1c8af52bf2fe9ad0735061
https://github.com/fraillt/bitsery/releases/tag/v5.2.5
https://vuldb.com/submit/814457
https://vuldb.com/vuln/365541
https://vuldb.com/vuln/365541/cti

History

Tue, 26 May 2026 02:15:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.
Title		fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input
First Time appeared		Fraillt Fraillt bitsery
Weaknesses		CWE-1287 CWE-20
CPEs		cpe:2.3:a:fraillt:bitsery::::::::
Vendors & Products		Fraillt Fraillt bitsery
References		https://gist.github.com/TrebledJ/750abc64a826f19dd2d6774724629b71 https://github.com/fraillt/bitsery/ https://github.com/fraillt/bitsery/blob/master/CHANGELOG.md#525-2025-10-09 https://github.com/fraillt/bitsery/commit/66d16516e24893bebc1c8af52bf2fe9ad0735061 https://github.com/fraillt/bitsery/releases/tag/v5.2.5 https://vuldb.com/submit/814457 https://vuldb.com/vuln/365541 https://vuldb.com/vuln/365541/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C'}` cvssV4_0 `{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Fraillt Bitsery

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-05-26T02:00:15.197Z

Updated: 2026-05-26T02:00:15.197Z

Reserved: 2026-05-25T19:17:31.511Z

Link: CVE-2026-9521

Vulnrichment

No data.

NVD

No data.

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T04:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements Present

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object