Submeter #814455: boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)informação

Título	boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)
Descrição	An issue was discovered in Boost Serialization 1.91 and below. Insecure deserialization of pointers under certain conditions may lead to confusion attacks, resulting in potential information disclosure, control flow hijacking, heap corruption, and arbitrary code execution. --- Recommended CVSS: - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - Justification: - AV:N - In the worst case, the library parses untrusted data sent over the network. - AC:L - Binary exploitation techniques are well-known. Security-enhancing conditions such as ASLR and PIE could be bypassed. - AT:P - CVSS guidelines do not provide examples and context assessing this for software frameworks. I have decided to give this Present instead of None, because the affected library is used in vastly different manners. Not all applications using the library are vulnerable, because it is dependent on the prerequisite of deserialising untrusted input under specific conditions. - PR:N - In a reasonable worst case, no privileges are required to exploit. - UI:N - In a reasonable worst case, no user interaction is necessary to exploit. - VC:H - Potential impact encapsulates RCE - VI:H - Potential impact encapsulates RCE - VA:H - Potential impact encapsulates RCE - SC:N - No scope change - SI:N - No scope change - SA:N - No scope change --- Note to moderator: The maintainer was notified on Aug. 5, 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents). CVD: https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75 Vendor: https://github.com/boostorg Product: https://github.com/boostorg/serialization
Fonte	⚠️ https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75
Utilizador	trebledj (UID 94356)
Submissão	27/04/2026 22h15 (há 1 mês)
Moderação	07/06/2026 09h25 (1 month later)
Estado	Aceite
Entrada VulDB	369080 [Boost Serialization até 1.91 Execução remota de código]
Pontos	20

◂ Voltar Visão Geral Próximo ▸

Do you want to use VulDB in your project?

Use the official API to access entries easily!