#1139180 logback: CVE-2026-10532

Package:
src:logback
Source:
src:logback
Submitter:
Salvatore Bonaccorso
Date:
2026-06-06 19:31:03 UTC
Severity:
normal
Tags:
#1139180#5
Date:
2026-06-06 19:30:08 UTC
From:
To:
Hi,

The following vulnerability was published for logback.

CVE-2026-10532[0]:
| Deserialization of untrusted data vulnerability in QOS.CH Sarl
| logback logback-core (HardenedObjectInputStream (logback-core)
| modules) allows Object Injection, albeit heavily restricted.  More
| precisely, an attacker able to influence serialized data sent to
| SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy
| objects.   Although deserialization is heavily restricted by
| HardenedObjectInputStream and no  practical way to achieve remote
| code execution or significant privilege  escalation has been
| identified, this issue constitutes a bypass of the  intended
| security restrictions.    This issue affects logback: through 1.5.33
| inclusive.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2026-10532
https://www.cve.org/CVERecord?id=CVE-2026-10532
[1] https://logback.qos.ch/news.html#1.5.34

Regards,
Salvatore