RLSA-2026:40895

Source
https://errata.rockylinux.org/RLSA-2026:40895
Import Source
https://storage.googleapis.com/resf-osv-data/RLSA-2026:40895.json
JSON Data
https://api.osv.dev/v1/vulns/RLSA-2026:40895
Upstream
Published
2026-07-17T12:03:25.223367Z
Modified
2026-07-17T12:30:05.775110781Z
Severity
  • 8.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Important: jackson-annotations, jackson-core, jackson-databind, jackson-jaxrs-providers, and jackson-modules-base security update
Details

The general-purpose data-binding functionality and tree-model for Jackson Data Processor. It builds on core streaming parser/generator package, and uses Jackson Annotations for configuration.

Security Fix(es):

  • jackson-databind: Jackson-databind: Security bypass allows arbitrary code execution (CVE-2026-54513)

  • jackson-databind: jackson-databind: Arbitrary code execution via PolymorphicTypeValidator bypass (CVE-2026-54512)

For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

References
Credits
    • Rocky Enterprise Software Foundation
    • Red Hat

Affected packages

Rocky Linux:9 / jackson-annotations

Package

Name
jackson-annotations
Purl
pkg:rpm/rocky-linux/jackson-annotations?distro=rocky-linux-9-x86-64&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.21-1.el9_8
Database specific
{
    "yum_repository": "AppStream"
}

Database specific

source
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:40895.json"

Rocky Linux:9 / jackson-core

Package

Name
jackson-core
Purl
pkg:rpm/rocky-linux/jackson-core?distro=rocky-linux-9-x86-64&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.21.4-1.el9_8
Database specific
{
    "yum_repository": "AppStream"
}

Database specific

source
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:40895.json"

Rocky Linux:9 / jackson-databind

Package

Name
jackson-databind
Purl
pkg:rpm/rocky-linux/jackson-databind?distro=rocky-linux-9-x86-64&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.21.4-1.el9_8
Database specific
{
    "yum_repository": "AppStream"
}

Database specific

source
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:40895.json"

Rocky Linux:9 / jackson-jaxrs-providers

Package

Name
jackson-jaxrs-providers
Purl
pkg:rpm/rocky-linux/jackson-jaxrs-providers?distro=rocky-linux-9-x86-64&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.21.4-1.el9_8
Database specific
{
    "yum_repository": "AppStream"
}

Database specific

source
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:40895.json"

Rocky Linux:9 / jackson-modules-base

Package

Name
jackson-modules-base
Purl
pkg:rpm/rocky-linux/jackson-modules-base?distro=rocky-linux-9-x86-64&epoch=0

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
0:2.21.4-1.el9_8
Database specific
{
    "yum_repository": "AppStream"
}

Database specific

source
"https://storage.googleapis.com/resf-osv-data/RLSA-2026:40895.json"