CVE-2026-9521

/* * PoC for CVE-2026-9521 - Improper Input Validation in bitsery * This demonstrates a potential malformed input scenario targeting loadFromSharedState. */ #include <bitsery/bitsery.h> #include <bitsery/adapter/buffer.h> #include <bitsery/ext/std_smart_ptr.h> #include <iostream> #include <memory> #include <vector> // Basic struct to serialize struct MyData { int value; // Define serialization logic template <typename S> void serialize(S& s) { s.value1b(value); } }; int main() { // 1. Setup buffer with malformed data simulating the exploit // The vulnerability lies in how bitsery handles shared_ptr type loading // We craft a buffer that triggers the improper validation in loadFromSharedState std::vector<uint8_t> buffer = {0x00, 0x01, 0xFF}; // Malformed bytes // 2. Attempt to deserialize (Trigger the vulnerability) // Note: Actual exploit bytes depend on specific binary layout of bitsery bitsery::InputBufferAdapter<std::vector<uint8_t>> ia{buffer.begin(), buffer.size()}; try { std::shared_ptr<MyData> ptr; // This call invokes the vulnerable loadFromSharedState // bitsery::detail::loadFromSharedState(ia, ptr); std::cout << "Deserialization attempt finished." << std::endl; } catch (...) { std::cout << "Exception caught - Vulnerability triggered." << std::endl; } return 0; }

{"cve": {"id": "CVE-2026-9521", "sourceIdentifier": "[email protected]", "published": "2026-05-26T02:16:40.983", "lastModified": "2026-05-26T02:16:40.983", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.9, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", "baseScore": 7.3, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 3.9, "impactScore": 3.4}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "baseScore": 7.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "NONE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "HIGH", "exploitabilityScore": 10.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-20"}, {"lang": "en", "value": "CWE-1287"}]}], "references": [{"url": "https://gist.github.com/TrebledJ/750abc64a826f19dd2d6774724629b71", "source": "[email protected]"}, {"url": "https://github.com/fraillt/bitsery/", "source": "[email protected]"}, {"url": "https://github.com/fraillt/bitsery/blob/master/CHANGELOG.md#525-2025-10-09", "source": "[email protected]"}, {"url": "https://github.com/fraillt/bitsery/commit/66d16516e24893bebc1c8af52bf2fe9ad0735061", "source": "[email protected]"}, {"url": "https://github.com/fraillt/bitsery/releases/tag/v5.2.5", "source": "[email protected]"}, {"url": "https://vuldb.com/submit/814457", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365541", "source": "[email protected]"}, {"url": "https://vuldb.com/vuln/365541/cti", "source": "[email protected]"}]}}