Live Active security incident? Get immediate response
CVE Record

CVE-2026-9521: fraillt bitsery std_smart_ptr.h loadFromSharedState improper validation of specified type of input

A security vulnerability has been detected in fraillt bitsery up to 5.2.4. Affected is the function loadFromSharedState in the library include/bitsery/ext/std_smart_ptr.h. Such manipulation leads to improper validation of specified type of input. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 5.2.5 is able to address this issue. The name of the patch is 66d16516e24893bebc1c8af52bf2fe9ad0735061. Upgrading the affected component is advised.

HighCVSS 7.5Not KEV-listed Updated
Discuss exposure Back to CVEs
Glexia's Take high

Analyst readout for executives and security teams

Plain-English summary

Bitsery has a high-severity input validation flaw in smart pointer deserialization. If an application accepts untrusted serialized data and uses the affected code path, a remote attacker may affect confidentiality, integrity, or availability. A public exploit is referenced, but the supplied sources do not show confirmed active exploitation.

Executive priority

Treat this as a timely patching priority for products that ingest external serialized data. It is not currently KEV-listed, but remote reachability and public exploit disclosure increase urgency. Organizations without bitsery or without untrusted deserialization exposure have lower immediate risk.

Technical view

The issue affects loadFromSharedState in include/bitsery/ext/std_smart_ptr.h and is mapped to CWE-1287 and CWE-20; the submission also references type confusion. Sources describe remote attack potential, CVSSv2 7.5, and a fix in commit 66d16516e24893bebc1c8af52bf2fe9ad0735061 released as bitsery 5.2.5.

Likely exposure

Exposure is most likely in C++ applications embedding fraillt bitsery and deserializing remote or otherwise untrusted data using the std_smart_ptr extension. The description says versions up to 5.2.4 are affected and 5.2.5 fixes it, but the affected list also includes 5.2.5, so verify against vendor guidance.

Exploitation context

The source bundle states the attack can be launched remotely and that exploit material has been publicly disclosed. KEV is false, and no cited source confirms in-the-wild exploitation. Practical risk depends on whether an exposed application passes attacker-controlled serialized data into the affected smart pointer deserialization path.

Researcher notes

Key uncertainty is version scope: narrative sources say fixed in 5.2.5, while the affected array includes 5.2.5. Validate with the GitHub release, changelog, and patch. Avoid assuming active exploitation without new evidence. Focus review on type validation around shared pointer state reconstruction.

Mitigation direction

  • Upgrade bitsery to 5.2.5 or a vendor-confirmed fixed release.
  • Apply the referenced patch commit if bitsery is vendored or pinned.
  • Restrict or reject untrusted serialized inputs where feasible.
  • Review vendor, CVE, and VulDB updates for version-scope corrections.
  • Prioritize internet-facing services that deserialize external data.

Validation and detection

  • Inventory repositories and builds for fraillt bitsery usage.
  • Confirm deployed bitsery versions and any vendored copies.
  • Search code for std_smart_ptr extension and loadFromSharedState use.
  • Identify APIs or file parsers accepting untrusted serialized data.
  • Run existing deserialization regression tests after upgrading.
Prepared
Confidence
medium
Sources
10

Public sources used

Based on public source material and reviewed before publication.

Potential ATT&CK relevance

Conservative CVE-to-ATT&CK context

These mappings and lookup hints may be relevant to the vulnerability behavior, CWE, affected product, or exposure path. Glexia-inferred context is not an official MITRE, ATT&CK, CWE, or CVE Program mapping.

ATT&CK lookup starting points

Use these exact CWE pages and searches to review the Glexia ATT&CK library from this CVE's weakness and description context.

cwe · low confidence lookup

CWE-1287: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cwe · low confidence lookup

CWE-20: Exact CWE lookup

Use the exact CWE identifier as the starting point before reviewing related ATT&CK behavior. Open the exact CWE lookup page first, then review the ATT&CK searches from that MITRE weakness context. This is a Glexia lookup hint, not an official ATT&CK mapping.

Open ATT&CK lookup
cve · low confidence lookup

CVE-2026-9521 mapping review

Open the CVE-to-ATT&CK bridge for reviewed, inferred, or future official mappings tied to this CVE.

Open ATT&CK lookup
Vulnerability profile CVE Program record
Severity
High
CVSS
7.5 (2.0)
Known Exploited
No
Published

Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C

Official CVE source material

CNA and ADP enrichment extracted from CVE v5

These fields come from the CVE record and ADP containers, not from Glexia's Take. They preserve time-varying source decisions such as CISA SSVC, KEV status, CVSS metrics, and provider references.

4 CVSS vectors
6 Timeline events
1 ADP providers
9 Source links

SSVC decision data

CISA-ADP CISA Coordinator
Timestamp
Version
2.0.3
Exploitation: pocAutomatable: yesTechnical Impact: partial

CVSS vector scores

4 official scores

We collect every scored CVSS vector available in the official CNA and ADP containers. When more than one version is present, the table keeps the source vectors side by side instead of collapsing them into the highest score.

Score Version Severity Vector Exploit Impact Source
7.5 CVSS 2.0 High AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:OF/RC:C 10 6.4 VulDB
7.3 CVSS 3.1 High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C 3.9 3.4 VulDB
7.3 CVSS 3.0 High CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C 3.9 3.4 VulDB
6.3 CVSS 4.0 Medium CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P VulDB

Vulnerability scoring details

Base CVSS 4.0 score

6.3 Medium
CVSS 4.0 vector shape for CVE-2026-9521 Attack VectorAttack ComplexityAttack RequirementsPrivileges RequiredUser InteractionVS ConfidentialityVS IntegrityVS AvailabilitySS ConfidentialitySS IntegritySS Availability

Vector: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

Attack Vector
NetworkAdjacentLocalPhysical
Attack Complexity
LowHigh
Attack Requirements
NonePresent
Privileges Required
NoneLowHigh
User Interaction
NonePassiveActive
VS Confidentiality
HighLowNone
VS Integrity
HighLowNone
VS Availability
HighLowNone
SS Confidentiality
HighLowNone
SS Integrity
HighLowNone
SS Availability
HighLowNone

Vulnerability timeline

Timeline events are normalized from CVE metadata, CNA source timelines, ADP timelines, and KEV metadata when present.

  1. Source timeline VulDB

    Advisory disclosed

  2. Source timeline VulDB

    VulDB entry created

  3. CVE reserved CVE Program

    The CVE ID was reserved by the assigning CNA.

  4. Source timeline VulDB

    VulDB entry last update

  5. CVE published CVE Program

    The CVE record was published.

  6. CVE updated CVE Program

    The CVE record metadata indicates this as the latest update time.

ADP provider summaries

CISA-ADP CISA ADP Vulnrichment
other:ssvc

Source materials

Affected products

Products and packages named in the record

Vendor Product Version / package Status
fraillt bitsery 5.2.0, 5.2.1, 5.2.2, 5.2.3, 5.2.4, 5.2.5 Listed
Weakness

CWE details

CWE-1287CWE-20

CWE links open Glexia weakness intelligence pages with official CWE context, developer remediation guidance, and related CVE mappings.

CWE-1287 · source CWE mapping

CWE mapping pending import

This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.

Open CWE intelligence Same-CWE CVEs
CWE-20 · source CWE mapping

CWE mapping pending import

This CVE carries a CWE mapping that will resolve to a full Glexia CWE intelligence page after the official CWE import is complete.

Open CWE intelligence Same-CWE CVEs