SUSE Jackson Annotations Security Vulnerabilities Addressed in Recent Updates

SUSE Jackson Annotations Security Vulnerabilities Addressed in Recent Updates

First seen 9 Jul 2026, 18:11 UTC Linuxsecurity 95% similarity 64.5

Article Content

Browse articles
ThreatCluster

SUSE released important security updates for jackson-annotations, jackson-core, and jackson-databind to address multiple vulnerabilities identified as CVE-2026-54512, CVE-2026-54513, CVE-2026-54514, and CVE-2026-54515. These vulnerabilities include a PolymorphicTypeValidator bypass, array subtype allowlist bypass, and issues related to eager DNS resolution and case-insensitive deserialization. The vulnerabilities were published on June 23, 2026, and have been rated with CVSS scores ranging from 5.3 to 8.1, indicating a significant risk. The updates were released on July 1, 2026, and July 8, 2026, respectively. Users of affected systems are advised to apply the updates promptly to mitigate potential exploitation. The vulnerabilities could allow attackers to instantiate arbitrary classes or bypass security features, leading to unauthorized access or data exposure.

Key Points: • SUSE issued updates for jackson-annotations and related libraries to fix critical vulnerabilities. • Four CVEs were identified, with CVE-2026-54512 and CVE-2026-54513 rated 8.1 on the CVSS scale. • Affected users are urged to apply the updates released on July 1 and July 8, 2026, to secure their systems.

ThreatCluster AI

Timeline

2026-06-23
CVE-2026-54512 published
A PolymorphicTypeValidator bypass vulnerability in jackson-databind was disclosed, allowing arbitrary class instantiation.
Linuxsecurity
2026-06-23
CVE-2026-54513 published
An array subtype allowlist bypass in BasicPolymorphicTypeValidator was disclosed, posing a significant risk.
Linuxsecurity
2026-06-23
CVE-2026-54514 published
A vulnerability causing eager DNS resolution during InetSocketAddress deserialization was disclosed.
Linuxsecurity
2026-06-23
CVE-2026-54515 published
A case-insensitive deserialization bypass vulnerability was disclosed, affecting jackson-databind.
Linuxsecurity
2026-07-01
SUSE releases update for CVEs
SUSE released an important update addressing multiple vulnerabilities in jackson-annotations and related libraries.
Linuxsecurity
2026-07-08
SUSE releases additional update for CVEs
A subsequent update was released to further address vulnerabilities in jackson-annotations and related libraries.
Linuxsecurity

Community

Browse all →