Bitsery
Monthly
Improper type validation in fraillt bitsery's smart pointer deserialization extension exposes applications that process attacker-controlled serialized data to partial confidentiality, integrity, and availability compromise. The vulnerable function loadFromSharedState in include/bitsery/ext/std_smart_ptr.h fails to validate polymorphic type identity before performing reinterpret_cast operations, allowing a remote unauthenticated attacker to supply crafted serialized input that triggers unsafe memory access. A publicly available proof-of-concept exploit exists (GitHub gist), though EPSS remains very low at 0.07% (21st percentile) and this CVE is not listed in CISA KEV, suggesting no observed widespread exploitation at time of analysis.
Improper type validation in fraillt bitsery's smart pointer deserialization extension exposes applications that process attacker-controlled serialized data to partial confidentiality, integrity, and availability compromise. The vulnerable function loadFromSharedState in include/bitsery/ext/std_smart_ptr.h fails to validate polymorphic type identity before performing reinterpret_cast operations, allowing a remote unauthenticated attacker to supply crafted serialized input that triggers unsafe memory access. A publicly available proof-of-concept exploit exists (GitHub gist), though EPSS remains very low at 0.07% (21st percentile) and this CVE is not listed in CISA KEV, suggesting no observed widespread exploitation at time of analysis.