Skip to main content

Logback CVE-2026-9828

| EUVDEUVD-2026-32895 LOW
Deserialization of Untrusted Data (CWE-502)
2026-05-28 vulnerability@ncsc.ch GHSA-p47f-322f-whfh
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:L/U:Green
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

2
CVSS changed
May 29, 2026 - 09:22 NVD
1.2 (LOW) 2.9 (LOW)
Analysis Generated
May 28, 2026 - 14:32 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 193 maven packages depend on ch.qos.logback:logback-core (11 direct, 182 indirect)

Ecosystem-wide dependent count for version 1.5.33.

DescriptionCVE.org

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.

This issue affects logback: through 1.5.32 inclusive.

AnalysisAI

Security restriction bypass in logback-core's HardenedObjectInputStream allows limited object injection via logback's SimpleSocketServer and SimpleSSLSocketServer components, affecting all versions through 1.5.32 inclusive. An attacker who can influence serialized data submitted to these socket server endpoints can instantiate objects from java.lang and java.util classes not explicitly blocked by the hardened deserializer, circumventing its intended allowlist controls. The vendor and NVD both confirm no practical remote code execution or significant privilege escalation has been identified; the real-world impact is limited confidentiality and integrity exposure. No public exploit identified at time of analysis beyond E:P proof-of-concept maturity indicated in the CVSS vector. Not listed in CISA KEV.

Technical ContextAI

Logback is a widely deployed Java logging framework (successor to log4j 1.x) produced by QOS.CH. The affected component is logback-core, specifically its HardenedObjectInputStream class, which was introduced as a security hardening measure to restrict Java deserialization by blocking dangerous classes - a defense against the class of attacks popularized by Apache Commons Collections-style gadget chains. SimpleSocketServer and SimpleSSLSocketServer are logback's built-in remote logging receivers that accept serialized LoggingEvent objects over TCP sockets. The root cause is CWE-502 (Deserialization of Untrusted Data): despite HardenedObjectInputStream's blocklist, classes within java.lang and java.util are not explicitly prohibited, creating a partial bypass of the intended security boundary. The vulnerability does not constitute a full deserialization gadget chain exploit because the java.lang/java.util namespace lacks the utility classes (e.g., InvokerTransformer, ReflectionUtils) needed to achieve code execution under normal circumstances.

RemediationAI

Upgrade logback-core to version 1.5.33, which is the fix release referenced by the vendor at https://logback.qos.ch/news.html#1.5.33. The patched version is inferred from the reference URL anchor fragment but has not been independently verified against a formal advisory document - confirm the release notes at that URL before deploying. As a compensating control for organizations that cannot patch immediately, disable or firewall SimpleSocketServer and SimpleSSLSocketServer if remote socket-based log ingestion is not required, as the attack path is contingent on those components being reachable and receiving attacker-influenced serialized data. Restricting network access to the socket server port (default 4560/tcp) to trusted logging clients only further limits exposure, though the AV:L vector suggests the attacker must already have some local foothold. Given the low CVSS score and absence of practical RCE, this vulnerability does not warrant emergency patching outside of compliance-driven timelines.

Share

CVE-2026-9828 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy