Bug#1138632: logback: CVE-2026-9828
Salvatore Bonaccorso
carnil at debian.org
Mon Jun 1 16:30:26 BST 2026
Source: logback
Version: 1:1.2.11-6
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for logback.
CVE-2026-9828[0]:
| Deserialization of untrusted data vulnerability in QOS.CH Sarl
| logback logback-core (HardenedObjectInputStream (logback-core)
| modules) allows Object Injection albeit heavily restricted. More
| precisely, an attacker able to influence serialized data sent to
| SimpleSocketServer or SimpleSSLSocketServer can instantiate objects
| from classes in the java.lang and java.util packages that are not
| explicitly blocked. Although deserialization is heavily restricted
| by HardenedObjectInputStream and no practical way to achieve remote
| code execution or significant privilege escalation has been
| identified, this issue constitutes a bypass of the intended
| security restrictions. This issue affects logback: through 1.5.32
| inclusive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-9828
https://www.cve.org/CVERecord?id=CVE-2026-9828
[1] https://logback.qos.ch/news.html#1.5.33
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list