Description
Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to
SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from
classes in the java.lang and java.util packages that are not explicitly
blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no
practical way to achieve remote code execution or significant privilege
escalation has been identified, this issue constitutes a bypass of the
intended security restrictions.



This issue affects logback: through 1.5.32 inclusive.
Published: 2026-05-28
Score: 2.9 Low
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Deserialization of untrusted data in logback logback-core (CWE-502) allows an attacker to instantiate objects from java.lang or java.util packages that are not explicitly blocked in the HardenedObjectInputStream whitelist. This bypasses the intended restriction but, according to the information given, no practical remote code execution or privilege escalation has been demonstrated.

Affected Systems

The vulnerability affects QOS.CH Sarl’s logback, specifically logback-core through version 1.5.32 inclusive. All installations of logback-core up to and including 1.5.32 are impacted.

Risk and Exploitability

The CVSS score of 2.9 indicates a low severity assessment, and the EPSS score is not available. The vulnerability is not listed in the CISA KEV catalog, suggesting limited exploitation activity to date. The likely attack vector requires an attacker to influence serialized data sent to either SimpleSocketServer or SimpleSSLSocketServer, implying that the threat depends on the exposure of those endpoints and the ability to send crafted payloads. While the bypass does not yet result in confirmed remote code execution, it may compromise application logic or integrity if exploited with malicious objects.

Generated by OpenCVE AI on May 29, 2026 at 10:24 UTC.

Remediation

Vendor Solution

Upgrade to logback version 1.5.33.

OpenCVE Recommended Actions

  • Upgrade logback to version 1.5.33 or later
  • Restrict or block network access to the SimpleSocketServer and SimpleSSLSocketServer endpoints until the upgrade is applied
  • Implement input validation or sanitization to ensure only expected serialized data is accepted before deserialization

Generated by OpenCVE AI on May 29, 2026 at 10:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://logback.qos.ch/news.html#1.5.33 cve-icon cve-icon
History

Fri, 29 May 2026 09:00:00 +0000

Type Values Removed Values Added
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green'}

 cvssV4_0

{'score': 2.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green'}

Thu, 28 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 28 May 2026 14:15:00 +0000

Type Values Removed Values Added
Description Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted. More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked. Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions. This issue affects logback: through 1.5.32 inclusive.
Title Logback deserialization whitelist bypass for java.lang and java.util
Weaknesses CWE-502
References
Metrics cvssV4_0

{'score': 1.2, 'vector': 'CVSS:4.0/AV:L/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC.ch

Published:

Updated: 2026-05-29T08:07:39.510Z

Reserved: 2026-05-28T11:55:19.674Z

Link: CVE-2026-9828

cve-icon Vulnrichment

Updated: 2026-05-28T14:20:33.887Z

cve-icon NVD

Status : Deferred

Published: 2026-05-28T14:16:27.430

Modified: 2026-05-29T15:39:34.620

Link: CVE-2026-9828

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-29T10:30:41Z

Weaknesses