Serialization
Monthly
Improper input type validation in Boost Serialization versions up to 1.91 allows remote attackers to send maliciously crafted serialized data that triggers limited compromise of confidentiality, integrity, and availability. Publicly available exploit code exists (published as a GitHub gist by researcher TrebledJ), and the maintainer has indefinitely postponed a fix after the 90-day disclosure deadline expired, leaving downstream C++ applications using Boost Serialization unpatched. No active exploitation has been confirmed via CISA KEV.
Improper input type validation in Boost Serialization versions up to 1.91 allows remote attackers to send maliciously crafted serialized data that triggers limited compromise of confidentiality, integrity, and availability. Publicly available exploit code exists (published as a GitHub gist by researcher TrebledJ), and the maintainer has indefinitely postponed a fix after the 90-day disclosure deadline expired, leaving downstream C++ applications using Boost Serialization unpatched. No active exploitation has been confirmed via CISA KEV.