This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues
- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows
arbitrary class instantiation (bsc#1268897).
- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).
- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).
- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
(bsc#1268902).
- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).
Changes for jackson-annotations:
- Update to 2.18.8
* No changes since 2.17.3
Changes for jackson-core:
- Update to 2.18.8
* Changes of 2.18.8
+ #1611: Apply number-length validator on streaming integer path
of async parser
* Changes of 2.18.7
+ #1570: Fail parsing from 'DataInput' if...
Read the Full Advisory- openSUSE Leap 16.0:
jackson-annotations-2.18.8-160000.1.1
jackson-annotations-javadoc-2.18.8-160000.1.1
jackson-core-2.18.8-160000.1.1
jackson-core-javadoc-2.18.8-160000.1.1
jackson-databind-2.18.8-160000.1.1
jackson-databind-javadoc-2.18.8-160000.1.1
* bsc#1268603
* bsc#1268897
* bsc#1268898
* bsc#1268899
* bsc#1268902
References:
* https://www.suse.com/security/cve/CVE-2026-54512.html
* https://www.suse.com/security/cve/CVE-2026-54513.html
* https://www.suse.com/security/cve/CVE-2026-54514.html
* https://www.suse.com/security/cve/CVE-2026-54515.html
Get the latest Linux and open source security news straight to your inbox.