PatchSiren cyber security CVE debrief
CVE-2026-10532 QOS.CH Sarl CVE debrief
A deserialization of untrusted data vulnerability exists in QOS.CH Sarl logback-core, specifically within the HardenedObjectInputStream module. An attacker with the ability to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects. While deserialization is heavily restricted by HardenedObjectInputStream and no practical remote code execution or significant privilege escalation path has been identified, this issue constitutes a bypass of intended security restrictions. The vulnerability affects logback versions through 1.5.33 inclusive. The CVSS 4.0 score of 2.9 (LOW severity) reflects the high attack complexity and the presence of existing restrictions that limit exploitability. The issue was disclosed on June 1, 2026, with a fix available in version 1.5.34.
- Vendor
- QOS.CH Sarl
- Product
- logback
- CVSS
- LOW 2.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-01
- Original CVE updated
- 2026-06-01
- Advisory published
- 2026-06-01
- Advisory updated
- 2026-06-01
Who should care
Organizations using logback with SimpleSocketServer or SimpleSSLSocketServer enabled, particularly those exposing these services to untrusted networks. Java applications relying on logback-core's deserialization hardening for security boundaries should assess this bypass in their threat model.
Technical summary
The vulnerability exists in the HardenedObjectInputStream class within logback-core, which is designed to restrict deserialization of untrusted data. An attacker who can control serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can bypass these restrictions to instantiate Proxy objects. While the existing hardening measures prevent practical remote code execution, the ability to instantiate Proxy objects represents a violation of the intended security model. The attack requires network access and high complexity due to the presence of the HardenedObjectInputStream restrictions. The vulnerability affects all logback versions through 1.5.33, with version 1.5.34 containing the remediation.
Defensive priority
low
Recommended defensive actions
- Upgrade logback to version 1.5.34 or later to address the deserialization bypass in HardenedObjectInputStream.
- If SimpleSocketServer or SimpleSSLSocketServer are not required, disable or remove these components to eliminate the attack surface.
- Implement network segmentation to restrict access to SimpleSocketServer and SimpleSSLSocketServer ports to trusted hosts only.
- Monitor for anomalous serialized data being sent to logback socket server endpoints.
- Review application configurations to ensure HardenedObjectInputStream restrictions are not inadvertently weakened by custom implementations.
Evidence notes
The CVE description states that although deserialization is heavily restricted by HardenedObjectInputStream, an attacker able to influence serialized data sent to SimpleSocketServer or SimpleSSLSocketServer can instantiate Proxy objects, constituting a bypass of intended security restrictions. The CVSS 4.0 vector indicates network attack vector with high attack complexity, physical attack requirements, and low impacts on confidentiality and integrity. The reference to logback.qos.ch news for version 1.5.34 indicates availability of a fixed version.
Official resources
-
CVE-2026-10532 CVE record
CVE.org
-
CVE-2026-10532 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-06-01