Skip to main content

bitsery CVE-2026-9521

| EUVD-2026-31780 LOW
Improper Validation of Specified Type of Input (CWE-1287)
2026-05-26 VulDB GHSA-xvwh-vh35-wwv2
Information Disclosure Bitsery
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

4
Source Code Evidence Fetched
Jun 08, 2026 - 13:03 vuln.today
Analysis Generated
Jun 08, 2026 - 13:03 vuln.today
Severity Changed
May 26, 2026 - 20:07 NVD
HIGH LOW
CVSS changed
May 26, 2026 - 20:07 NVD
7.3 (HIGH) 2.9 (LOW)

DescriptionCVE.org

A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.

AnalysisAI

Improper type validation in fraillt bitsery's smart pointer deserialization extension exposes applications that process attacker-controlled serialized data to partial confidentiality, integrity, and availability compromise. The vulnerable function loadFromSharedState in include/bitsery/ext/std_smart_ptr.h fails to validate polymorphic type identity before performing reinterpret_cast operations, allowing a remote unauthenticated attacker to supply crafted serialized input that triggers unsafe memory access. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify service consuming bitsery-deserialized input
Delivery
Craft binary payload with mismatched polymorphic type encoding
Exploit
Transmit payload over network
Execution
Trigger loadFromSharedState with invalid type
Persist
Unsafe reinterpret_cast executes without type check
Impact
Partial memory disclosure or corruption achieved
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires the target application to be using bitsery's smart pointer extension with polymorphic type support - specifically, the PointerOwner, PointerObserver, or ReferencedByPointer extension wrappers applied to polymorphic class hierarchies during deserialization. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Despite the network-accessible attack vector (AV:N), low complexity (AC:L), and no privilege requirement (PR:N/UI:N), the overall CVSS 4.0 score of 2.9 is substantially reduced by AT:P (Attack Requirements: Present), indicating a prerequisite condition must be satisfied. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits crafted binary-serialized data to a network service that uses bitsery to deserialize polymorphic shared_ptr types - for example, a game server or IPC endpoint accepting serialized game state or configuration objects. The malicious payload encodes a shared pointer whose stored base type is incompatible with the expected derived type, causing loadFromSharedState to perform an unsafe reinterpret_cast without type validation, resulting in out-of-bounds or type-confused memory access that leaks memory contents or causes partial data corruption. …
Remediation Upgrade bitsery to version 5.2.5 or later - the vendor-released patch is available at https://github.com/fraillt/bitsery/releases/tag/v5.2.5, with the specific fix applied in commit 66d16516e24893bebc1c8af52bf2fe9ad0735061. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-9521 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy