CVE-2026-11460

Summary

A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.

Affected Software

VendorProductVersion RangeStatus
BoostSerialization1.0affected
BoostSerialization1.1affected
BoostSerialization1.2affected
BoostSerialization1.3affected
BoostSerialization1.4affected
BoostSerialization1.5affected
BoostSerialization1.6affected
BoostSerialization1.7affected
BoostSerialization1.8affected
BoostSerialization1.9affected
BoostSerialization1.10affected
BoostSerialization1.11affected
BoostSerialization1.12affected
BoostSerialization1.13affected
BoostSerialization1.14affected
BoostSerialization1.15affected
BoostSerialization1.16affected
BoostSerialization1.17affected
BoostSerialization1.18affected
BoostSerialization1.19affected
BoostSerialization1.20affected
BoostSerialization1.21affected
BoostSerialization1.22affected
BoostSerialization1.23affected
BoostSerialization1.24affected
BoostSerialization1.25affected
BoostSerialization1.26affected
BoostSerialization1.27affected
BoostSerialization1.28affected
BoostSerialization1.29affected
BoostSerialization1.30affected
BoostSerialization1.31affected
BoostSerialization1.32affected
BoostSerialization1.33affected
BoostSerialization1.34affected
BoostSerialization1.35affected
BoostSerialization1.36affected
BoostSerialization1.37affected
BoostSerialization1.38affected
BoostSerialization1.39affected
BoostSerialization1.40affected
BoostSerialization1.41affected
BoostSerialization1.42affected
BoostSerialization1.43affected
BoostSerialization1.44affected
BoostSerialization1.45affected
BoostSerialization1.46affected
BoostSerialization1.47affected
BoostSerialization1.48affected
BoostSerialization1.49affected
BoostSerialization1.50affected
BoostSerialization1.51affected
BoostSerialization1.52affected
BoostSerialization1.53affected
BoostSerialization1.54affected
BoostSerialization1.55affected
BoostSerialization1.56affected
BoostSerialization1.57affected
BoostSerialization1.58affected
BoostSerialization1.59affected
BoostSerialization1.60affected
BoostSerialization1.61affected
BoostSerialization1.62affected
BoostSerialization1.63affected
BoostSerialization1.64affected
BoostSerialization1.65affected
BoostSerialization1.66affected
BoostSerialization1.67affected
BoostSerialization1.68affected
BoostSerialization1.69affected
BoostSerialization1.70affected
BoostSerialization1.71affected
BoostSerialization1.72affected
BoostSerialization1.73affected
BoostSerialization1.74affected
BoostSerialization1.75affected
BoostSerialization1.76affected
BoostSerialization1.77affected
BoostSerialization1.78affected
BoostSerialization1.79affected
BoostSerialization1.80affected
BoostSerialization1.81affected
BoostSerialization1.82affected
BoostSerialization1.83affected
BoostSerialization1.84affected
BoostSerialization1.85affected
BoostSerialization1.86affected
BoostSerialization1.87affected
BoostSerialization1.88affected
BoostSerialization1.89affected
BoostSerialization1.90affected
BoostSerialization1.91affected

Weaknesses

  • CWE-1287: Improper Validation of Specified Type of Input
  • CWE-20: Improper Input Validation

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: yes
    • Technical Impact: partial

References