CVE-2026-9828

Source
https://cve.org/CVERecord?id=CVE-2026-9828
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9828.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-9828
Aliases
Downstream
Related
Published
2026-05-28T12:52:45.852Z
Modified
2026-07-08T08:13:55.621453650Z
Severity
  • 2.9 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/RE:L/U:Green CVSS Calculator
Summary
Logback deserialization whitelist bypass for java.lang and java.util
Details

Deserialization of untrusted data vulnerability in QOS.CH Sarl logback logback-core (HardenedObjectInputStream (logback-core) modules) allows Object Injection albeit heavily restricted.

More precisely, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate objects from classes in the java.lang and java.util packages that are not explicitly blocked.

Although deserialization is heavily restricted by HardenedObjectInputStream and no practical way to achieve remote code execution or significant privilege escalation has been identified, this issue constitutes a bypass of the intended security restrictions.

This issue affects logback: through 1.5.32 inclusive.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/9xxx/CVE-2026-9828.json",
    "cna_assigner": "NCSC.ch",
    "cwe_ids": [
        "CWE-502"
    ]
}
References

Affected packages

Git / github.com/qos-ch/logback

Affected ranges

Type
GIT
Repo
https://github.com/qos-ch/logback
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Last affected
Database specific
{
    "source": "AFFECTED_FIELD",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "1.5.32"
        }
    ]
}

Affected versions

Other
list
possible_mvn_issue
release_0.*
release_0.9.19
v0.*
v0.9.18
v0.9.20
v1.*
v1.0.10
v1.4.2
v_0.*
v_0.9.21
v_0.9.22
v_0.9.23
v_0.9.24
v_0.9.25
v_0.9.26
v_0.9.27
v_0.9.28
v_0.9.29
v_0.9.30
v_1.*
v_1.0.0
v_1.0.1
v_1.0.11
v_1.0.2
v_1.0.3
v_1.0.4
v_1.0.5
v_1.0.6
v_1.0.7
v_1.0.8
v_1.0.9
v_1.1.0
v_1.1.1
v_1.1.10
v_1.1.4
v_1.1.5
v_1.1.6
v_1.1.7
v_1.1.8
v_1.2.0
v_1.2.1
v_1.2.2
v_1.3.0-alpha0
v_1.3.0-alpha10
v_1.3.0-alpha11
v_1.3.0-alpha12
v_1.3.0-alpha12-SNAPSHOT
v_1.3.0-alpha13
v_1.3.0-alpha14
v_1.3.0-alpha15
v_1.3.0-alpha16
v_1.3.0-alpha2
v_1.3.0-alpha3
v_1.3.0-alpha4
v_1.3.0-alpha5
v_1.3.0-alpha6
v_1.3.0-alpha7
v_1.3.0-alpha8
v_1.3.0-alpha9
v_1.3.0-beta0
v_1.4.0
v_1.4.1
v_1.4.10
v_1.4.11
v_1.4.12
v_1.4.13
v_1.4.14
v_1.4.3
v_1.4.4
v_1.4.5
v_1.4.6
v_1.4.7
v_1.4.8
v_1.4.9
v_1.5.0
v_1.5.1
v_1.5.10
v_1.5.11
v_1.5.12
v_1.5.13
v_1.5.14
v_1.5.15
v_1.5.16
v_1.5.17
v_1.5.18
v_1.5.19
v_1.5.20
v_1.5.21
v_1.5.22
v_1.5.23
v_1.5.24
v_1.5.25
v_1.5.26
v_1.5.27
v_1.5.28
v_1.5.29
v_1.5.3
v_1.5.30
v_1.5.31
v_1.5.32
v_1.5.4
v_1.5.5
v_1.5.6
v_1.5.7
v_1.5.8
v_1.5.9
v_1.8.0-alpha1
v_4.*
v_4.1.12

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-9828.json"