Bug#1139180: logback: CVE-2026-10532
Salvatore Bonaccorso
carnil at debian.org
Sat Jun 6 20:30:08 BST 2026
Source: logback
Version: 1:1.2.11-3
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for logback.
CVE-2026-10532[0]:
| Deserialization of untrusted data vulnerability in QOS.CH Sarl
| logback logback-core (HardenedObjectInputStream (logback-core)
| modules) allows Object Injection, albeit heavily restricted. More
| precisely, an attacker able to influence serialized data sent to
| SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy
| objects. Although deserialization is heavily restricted by
| HardenedObjectInputStream and no practical way to achieve remote
| code execution or significant privilege escalation has been
| identified, this issue constitutes a bypass of the intended
| security restrictions. This issue affects logback: through 1.5.33
| inclusive.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-10532
https://www.cve.org/CVERecord?id=CVE-2026-10532
[1] https://logback.qos.ch/news.html#1.5.34
Regards,
Salvatore
More information about the pkg-java-maintainers
mailing list