Enviar #814456: USCiLab cereal 1.3.2 CWE-1287, CWE-843 (Type Confusion)información

Título	USCiLab cereal 1.3.2 CWE-1287, CWE-843 (Type Confusion)
Descripción	An issue was discovered in Cereal v1.3.2 and below. Insecure deserialization of shared pointers under certain conditions may lead to type confusion, resulting in potential information disclosure, control flow hijacking, and arbitrary code execution. --- Recommended CVSS: - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - Justification: - AV:N - In the worst case, the library parses untrusted data sent over the network. - AC:L - Binary exploitation techniques are well-known. Security-enhancing conditions such as ASLR and PIE could be bypassed. - AT:P - CVSS guidelines do not provide examples and context assessing this for software frameworks. I have decided to give this Present instead of None, because the affected library is used in vastly different manners. Not all applications using the library are vulnerable, because it is dependent on the prerequisite of deserialising untrusted input under specific conditions. - PR:N - In a reasonable worst case, no privileges are required to exploit. - UI:N - In a reasonable worst case, no user interaction is necessary to exploit. - VC:H - Potential impact encapsulates RCE - VI:H - Potential impact encapsulates RCE - VA:H - Potential impact encapsulates RCE - SC:N - No scope change - SI:N - No scope change - SA:N - No scope change --- Note to moderator: The maintainer was notified on Aug. 23, 2025 and a disclosure deadline was set for 90 days. The maintainer was unreachable after multiple follow-up attempts. No patch is currently available and the disclosure deadline has expired. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents). CVD: https://gist.github.com/TrebledJ/0223c1fa3c3fd64e2c7047b8a4385ec0 Vendor: https://github.com/USCiLab Product: https://github.com/USCiLab/cereal
Fuente	⚠️ https://gist.github.com/TrebledJ/0223c1fa3c3fd64e2c7047b8a4385ec0
Usuario	trebledj (UID 94356)
Sumisión	2026-04-27 22:18 (hace 1 mes)
Moderación	2026-06-07 09:45 (1 month later)
Estado	Aceptado
Entrada de VulDB	369083 [USCiLab Cereal hasta 1.3.2 Shared Pointer escalada de privilegios]
Puntos	20

◂ Anterior Visión De Conjunto Próximo ▸

Want to know what is going to be exploited?

We predict KEV entries!