CVE-2026-10532 Overview
CVE-2026-10532 is a deserialization of untrusted data vulnerability [CWE-502] in the QOS.CH Sarl logback-core library. The flaw resides in the HardenedObjectInputStream module used by SimpleSocketServer and SimpleSSLSocketServer. An attacker who can influence serialized data sent to these listeners can instantiate Proxy objects, bypassing intended deserialization restrictions. The issue affects all logback releases through 1.5.33 inclusive. No practical path to remote code execution or significant privilege escalation has been demonstrated, but the bypass undermines the hardening that HardenedObjectInputStream was designed to enforce.
Critical Impact
Object Injection via bypass of HardenedObjectInputStream restrictions when an attacker can reach SimpleSocketServer or SimpleSSLSocketServer endpoints.
Affected Products
- QOS.CH Sarl logback-core through 1.5.33 inclusive
- Applications exposing SimpleSocketServer for remote log event reception
- Applications exposing SimpleSSLSocketServer for TLS-protected log event reception
Discovery Timeline
- 2026-06-01 - CVE-2026-10532 published to NVD
- 2026-06-01 - Last updated in NVD database
Technical Details for CVE-2026-10532
Vulnerability Analysis
Logback ships SimpleSocketServer and SimpleSSLSocketServer to receive serialized ILoggingEvent objects from remote appenders. To limit deserialization risk, logback wraps the input stream with HardenedObjectInputStream, which enforces an allowlist of permitted classes. The vulnerability stems from a gap in the allowlist enforcement: java.lang.reflect.Proxy instances can still be instantiated during deserialization. An attacker who can send crafted serialized bytes to a listening socket can construct Proxy objects against the allowed interface set. The class filter blocks most direct gadget chains, so researchers have not identified a path to arbitrary code execution. The bypass still violates the documented security boundary of HardenedObjectInputStream.
Root Cause
The root cause is incomplete class filtering inside HardenedObjectInputStream. The resolveClass logic restricts concrete class resolution but does not constrain dynamic proxy generation, which uses a different resolution path. Java deserialization invokes resolveProxyClass for proxy descriptors, and that method was not subject to the same hardening checks as ordinary class lookups.
Attack Vector
Exploitation requires network reachability to a SimpleSocketServer or SimpleSSLSocketServer instance accepting connections from untrusted sources. The attacker opens a TCP connection, writes a Java serialization stream containing a proxy descriptor, and triggers readObject on the server side. Attack complexity is high because the attacker must reach a typically internal logging port and craft a stream that the hardened filter accepts. The EPSS data places exploitation likelihood at a very low percentile, consistent with the absence of a practical RCE chain.
No verified public exploit code is available. See the Logback Release Announcement for vendor technical details.
Detection Methods for CVE-2026-10532
Indicators of Compromise
- Inbound TCP connections to logback SimpleSocketServer default port 4560 from hosts outside the expected appender population.
- Java exceptions in application logs referencing HardenedObjectInputStream, resolveProxyClass, or unexpected Proxy instantiation during deserialization.
- Long-lived sockets to logback receiver ports originating from untrusted network segments.
Detection Strategies
- Inventory all running Java services that load logback-core versions at or below 1.5.33 and identify whether they expose SimpleSocketServer or SimpleSSLSocketServer.
- Inspect process command lines and configuration files for ch.qos.logback.classic.net.SimpleSocketServer invocations.
- Use network telemetry to flag any external or cross-segment traffic reaching logback receiver ports.
Monitoring Recommendations
- Alert on stack traces containing java.io.ObjectInputStream.readObject paired with ch.qos.logback.core.net.HardenedObjectInputStream.
- Monitor for new listening sockets on ports historically used by logback receivers across the server fleet.
- Capture JVM audit logs that record dynamic proxy class generation in services receiving remote serialized data.
How to Mitigate CVE-2026-10532
Immediate Actions Required
- Upgrade logback-core and logback-classic to version 1.5.34 or later across all applications and container images.
- Restrict network access to SimpleSocketServer and SimpleSSLSocketServer ports so only trusted log producers can connect.
- Audit production deployments for unintended exposure of logback receiver sockets to untrusted networks.
Patch Information
QOS.CH addressed the issue in logback 1.5.34. The release notes are published in the Logback Release Announcement. Update direct dependencies and verify transitive resolution in Maven or Gradle to ensure the patched version is loaded at runtime.
Workarounds
- Disable use of SimpleSocketServer and SimpleSSLSocketServer where remote log ingestion is not strictly required.
- Bind logback receiver sockets to loopback or to internal management interfaces only, and enforce firewall rules in front of them.
- Require mutual TLS on SimpleSSLSocketServer so only authenticated log producers can deliver serialized events.
# Example Maven dependency override to enforce the patched version
mvn versions:use-dep-version \
-Dincludes=ch.qos.logback:logback-core,ch.qos.logback:logback-classic \
-DdepVersion=1.5.34 \
-DforceVersion=true
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

