Submit #814455: boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)info

Title	boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)
Description	An issue was discovered in Boost Serialization 1.91 and below. Insecure deserialization of pointers under certain conditions may lead to confusion attacks, resulting in potential information disclosure, control flow hijacking, heap corruption, and arbitrary code execution. --- Recommended CVSS: - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - Justification: - AV:N - In the worst case, the library parses untrusted data sent over the network. - AC:L - Binary exploitation techniques are well-known. Security-enhancing conditions such as ASLR and PIE could be bypassed. - AT:P - CVSS guidelines do not provide examples and context assessing this for software frameworks. I have decided to give this Present instead of None, because the affected library is used in vastly different manners. Not all applications using the library are vulnerable, because it is dependent on the prerequisite of deserialising untrusted input under specific conditions. - PR:N - In a reasonable worst case, no privileges are required to exploit. - UI:N - In a reasonable worst case, no user interaction is necessary to exploit. - VC:H - Potential impact encapsulates RCE - VI:H - Potential impact encapsulates RCE - VA:H - Potential impact encapsulates RCE - SC:N - No scope change - SI:N - No scope change - SA:N - No scope change --- Note to moderator: The maintainer was notified on Aug. 5, 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents). CVD: https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75 Vendor: https://github.com/boostorg Product: https://github.com/boostorg/serialization
Source	⚠️ https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75
User	trebledj (UID 94356)
Submission	04/27/2026 22:15 (1 month ago)
Moderation	06/07/2026 09:25 (1 month later)
Status	Accepted
VulDB entry	369080 [Boost Serialization up to 1.91 improper validation of specified type of input]
Points	20

◂ Previous Overview Next ▸

Do you need the next level of professionalism?

Upgrade your account now!