HIGH 7.3

CVE-2026-11460: Boost Serialization Remote Input Validation Flaw – No Patch Available

Boost Serialization, a widely-used C++ library for object serialization, contains a validation flaw that allows remote attackers to send specially crafted input that bypasses security checks. The vulnerability affects all versions up to 1.91 and can lead to information disclosure, data tampering, or service disruption. No patch currently exists, and the vendor has indefinitely postponed fixing it despite being notified in August 2025 and exceeding the 90-day disclosure deadline.

Source data · NVD / CISA · public domain

CVSS
3.1 · 7.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-1287, CWE-20
Affected products
0 configuration(s)
Published / Modified
2026-06-07 / 2026-06-17

NVD description (verbatim)

A flaw has been found in Boost Serialization up to 1.91. The impacted element is an unknown function. This manipulation causes improper validation of specified type of input. It is possible to initiate the attack remotely. The exploit has been published and may be used. The maintainer was notified on Aug 2025 and a disclosure deadline was set for 90 days. The maintainer acknowledged but postponed indefinitely citing time concerns. No patch is currently available and the disclosure deadline has expired.

6 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11460 is a remote, unauthenticated input validation weakness (CWE-20, CWE-1287) in Boost Serialization that allows improper handling of serialized data. The vulnerability resides in an unspecified function and permits an attacker to craft malicious serialized objects that evade type validation. With a CVSS v3.1 score of 7.3 (HIGH), the attack vector is network-based, requires no authentication or user interaction, and impacts confidentiality, integrity, and availability equally. The flaw affects all versions through 1.91, with no security update issued as of the publication date.

Business impact

Organizations relying on Boost Serialization for data deserialization—particularly in network services, inter-process communication, and data persistence—face exposure to data breaches, unauthorized modification of serialized objects, and potential denial-of-service attacks. The absence of a patch creates operational risk for development teams who cannot upgrade to safety. Companies handling sensitive data or running always-on services are especially vulnerable, as exploitation could compromise data integrity and system availability with no vendor-supplied mitigation path available.

Affected systems

Any application or library that depends on Boost Serialization version 1.91 or earlier is potentially affected. This includes embedded serialization use cases in C++ applications across web services, database systems, financial platforms, and real-time processing frameworks. Vendors shipping Boost as a dependency should audit their supply chain. The advisory does not specify which downstream products are affected, requiring organizations to perform manual dependency scanning.

Exploitability

The vulnerability is exploitable remotely without authentication or user action, making it a significant risk. A proof-of-concept has been publicly disclosed, lowering the barrier to attack. The straightforward attack surface—crafting malicious serialized input—means exploitation tools or scripts may already be circulating. Organizations should assume active exploitation is possible, particularly against internet-facing services that deserialize untrusted data.

Remediation

No patch is available from the maintainers. Short-term mitigations include: (1) implement strict input validation and type-checking logic before deserialization where possible; (2) isolate Boost Serialization usage to trusted, authenticated channels only; (3) disable or sandbox serialization features if not essential; (4) monitor inbound serialized data for anomalies; (5) consider forking and patching the library internally if business-critical. Long-term, evaluate alternative serialization libraries (e.g., Protocol Buffers, MessagePack, FlatBuffers) with stronger security track records and active maintenance.

Patch guidance

No official patch exists. Contact the Boost maintainers for updated timeline information, but be aware that the maintainer has indicated indefinite postponement due to resource constraints. If a patch does materialize, verify version numbering against official Boost release notes before deployment. In the interim, prioritize migrating away from Boost Serialization in new projects and assess feasibility of refactoring existing integrations to use maintained, secure alternatives.

Detection guidance

Monitor network traffic for unusual serialized data payloads destined for Boost Serialization endpoints. Deploy runtime integrity checks on deserialized objects to detect malformed or unexpected type structures. Instrument deserialization code paths with logging to capture failed type validation attempts. Use software composition analysis (SCA) tools to identify all internal and third-party dependencies on Boost Serialization and their version levels. Set up alerts for processes attempting to deserialize data from untrusted sources, and correlate with known exploit signatures as they emerge in threat intelligence feeds.

Why prioritize this

This vulnerability warrants immediate attention due to the combination of remote exploitability, published proof-of-concept, absence of a security patch, and broad applicability across C++ ecosystems. The HIGH severity rating reflects real impact on confidentiality, integrity, and availability. The indefinite postponement by maintainers means this is a long-lived risk requiring architectural mitigation rather than a temporary patch-and-move-on scenario. Organizations should treat this as a critical dependency management and code refactoring priority.

Risk score, explained

The CVSS v3.1 score of 7.3 (HIGH) reflects a network-exploitable flaw with no authentication barrier, low attack complexity, and measurable impact across all three security pillars (CIA). The score does not account for the absence of a patch or the disclosed exploit, factors that elevate real-world risk beyond the base score. The underlying CWE-20 (improper input validation) and CWE-1287 (improper validation of specified type) are well-known attack primitives with mature exploitation techniques.

Frequently asked questions

Is there any timeline for a patch?

No. The Boost maintainers acknowledged the vulnerability in August 2025 but have indicated indefinite postponement, citing time constraints. The 90-day disclosure deadline has passed. Organizations should not rely on an official patch and should instead focus on mitigation and migration strategies.

Which versions of Boost are affected?

All versions of Boost Serialization up to and including version 1.91 are affected. If your application or library lists Boost as a dependency, verify your specific version using your package manager or build system and cross-reference against 1.91.

Can I safely use Boost Serialization if I only deserialize trusted data?

While restricting deserialization to authenticated, internal-only channels reduces risk, it does not eliminate it. An attacker with access to your internal network or a compromised trusted source could still exploit this flaw. True safety requires either applying a vendor patch (unavailable), internal code patching, or migrating to an alternative serialization library.

What serialization alternatives should we consider?

Protocol Buffers, Apache Thrift, MessagePack, FlatBuffers, and CBOR are actively maintained serialization frameworks with strong security practices. Evaluate each against your performance and compatibility requirements, but prioritize projects where Boost Serialization is handling untrusted or semi-trusted data.

This analysis is based on publicly available vulnerability data current as of the modification date (2026-06-17). The Boost maintainer's patch timeline and internal security practices may change; consult official Boost channels and your vendor advisories for the latest status. This document provides risk guidance and does not constitute legal or compliance advice. Organizations must conduct their own impact assessments and testing before applying any mitigations. SEC.co does not warrant the completeness or accuracy of third-party vendor timelines or patch availability claims. Source: NVD (public-domain), retrieved 2026-07-15. Analysis generated by SEC.co (claude-haiku-4-5).