Gửi #814455: boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)thông tin

tiêu đề	boostorg boost serialization 1.91 CWE-1287, CWE-843 (Type Confusion)
Mô tả	An issue was discovered in Boost Serialization 1.91 and below. Insecure deserialization of pointers under certain conditions may lead to confusion attacks, resulting in potential information disclosure, control flow hijacking, heap corruption, and arbitrary code execution. --- Recommended CVSS: - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N - Justification: - AV:N - In the worst case, the library parses untrusted data sent over the network. - AC:L - Binary exploitation techniques are well-known. Security-enhancing conditions such as ASLR and PIE could be bypassed. - AT:P - CVSS guidelines do not provide examples and context assessing this for software frameworks. I have decided to give this Present instead of None, because the affected library is used in vastly different manners. Not all applications using the library are vulnerable, because it is dependent on the prerequisite of deserialising untrusted input under specific conditions. - PR:N - In a reasonable worst case, no privileges are required to exploit. - UI:N - In a reasonable worst case, no user interaction is necessary to exploit. - VC:H - Potential impact encapsulates RCE - VI:H - Potential impact encapsulates RCE - VA:H - Potential impact encapsulates RCE - SC:N - No scope change - SI:N - No scope change - SA:N - No scope change --- Note to moderator: The maintainer was notified on Aug. 5, 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired. Let me know if you require screenshots/evidence of the CVD email chain (I am unable to upload private documents). CVD: https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75 Vendor: https://github.com/boostorg Product: https://github.com/boostorg/serialization
Nguồn	⚠️ https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75
Người dùng	trebledj (UID 94356)
Đệ trình	27/04/2026 22:15 (cách đây 1 tháng)
Kiểm duyệt	07/06/2026 09:25 (1 month later)
Trạng thái	được chấp nhận
Mục VulDB	369080 [Boost Serialization đến 1.91 Thực thi mã từ xa]
điểm	20

◂ Trước Tổng Quan Tiếp theo ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!