On Mon, Jun 22, 2026, at 11:12 PM, Chris Frey via Boost wrote:
I haven't seen mention of this on this list yet, so just passing it along.
Vulnerability page: https://vuldb.com/cve/CVE-2026-11460
More details: https://gist.github.com/TrebledJ/b7c872f869b5ed7cbd936f71f16c7d75
Isn't this by design and as documented? Boost Serialization does not have checksums/tampering protection. Basically, reading untrusted archives is a no-no because malformed archives lead to undefined behavior. I believe this is documented under some version compatibility paragraphs, and likely under the `archive_flags`? That's a limitation of the scope of the library, but not necessarily in application, because the protection/authentication can be built into a higher layer of the serialization that is based on Boost Serialization archives. Just thinking out loud here, Seth
- Chris
_______________________________________________ Boost mailing list -- boost@lists.boost.org To unsubscribe send an email to boost-leave@lists.boost.org https://lists.boost.org/mailman3/lists/boost.lists.boost.org/ Archived at: https://lists.boost.org/archives/list/boost@lists.boost.org/message/UV6VAGLK...