Which versions of USCiLab Cereal are affected by CVE-2026-11463?

A memory corruption vulnerability in the Cereal C++ serialization library (versions through 1.3.2) can be remotely exploited; publicly available exploit code exists.

Is there a public PoC exploit available for CVE-2026-11463?

Yes, a public proof-of-concept exploit is available for CVE-2026-11463. Prioritise patching immediately. EPSS: 0.0%.

How to fix or mitigate CVE-2026-11463?

Within 24 hours: Conduct comprehensive inventory of all systems, applications, and dependencies using Cereal library version 1.3.2 or earlier (including transitive dependencies, development environments, and compiled artifacts). Within 7 days: Implement network segmentation to isolate applications accepting Cereal-serialized input, disable untrusted data deserialization where operationally feasible, and initiate evaluation of replacement serialization libraries (Protocol Buffers, MessagePack, JSON-based alternatives). Within 30 days: Complete remediation via application re-architecture to eliminate Cereal dependency or apply vendor patch immediately upon release.

USCiLab Cereal CVE-2026-11463

Q: What is the CVSS score of CVE-2026-11463?

CVE-2026-11463 has a CVSS 4.0 base score of 2.9 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

EUVD-2026-34994 LOW

Access of Resource Using Incompatible Type (Type Confusion) (CWE-843)

2026-06-07 VulDB

GHSA-vf62-69cf-f6mv

Information Disclosure Memory Corruption Cereal

2.9

CVSS 4.0 · NVD

Temporal: 6.6

Severity by source

NVD PRIMARY

2.9 LOW

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

CIRCL (temporal)

6.6 MEDIUM

cvss

Primary rating from NVD.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Severity Changed

Jun 07, 2026 - 23:22 NVD

HIGH LOW

CVSS changed

Jun 07, 2026 - 23:22 NVD

7.3 (HIGH) 2.9 (LOW)

Analysis Generated

Jun 07, 2026 - 22:43 vuln.today

DescriptionCVE.org

A vulnerability was determined in USCiLab Cereal up to 1.3.2. Affected is an unknown function of the component Shared Pointer Handler. Executing a manipulation can lead to type confusion. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

AnalysisAI

Type confusion in USCiLab Cereal C++ serialization library through version 1.3.2 allows remote attackers to trigger memory corruption via the Shared Pointer Handler component when deserializing untrusted input. Publicly available exploit code exists (published as a GitHub gist), and the issue was disclosed by VulDB after early vendor contact. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access

Identify app deserializing Cereal data

Delivery

Reach network deserialization endpoint

Exploit

Send crafted shared_ptr payload

Execution

Trigger type confusion in handler

Persist

Corrupt memory or leak object state

Impact

Disclose sensitive data or hijack control