Alerts This Week
Warning Icon 1 1,149
Alerts This Week
Warning Icon 1 1,149

openSUSE 2026-21201-1 Jackson Annotations Important Array Bypass

opensuse
Calendar Grey July 3, 2026
Dist Opensuse Esm H88
Critical openSUSE update addresses important vulnerabilities in Jackson libraries with essential fixes for better security.
An update that solves 4 vulnerabilities and has 5 bug fixes can now be installed.

Description

This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues

- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows

arbitrary class instantiation (bsc#1268897).

- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).

- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).

- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties

(bsc#1268902).

- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).

Changes for jackson-annotations:

- Update to 2.18.8

* No changes since 2.17.3

Changes for jackson-core:

- Update to 2.18.8

* Changes of 2.18.8

+ #1611: Apply number-length validator on streaming integer path

of async parser

* Changes of 2.18.7

+ #1570: Fail parsing from 'DataInput' if...

Read the Full Advisory

Patch

Package List

- openSUSE Leap 16.0:

jackson-annotations-2.18.8-160000.1.1

jackson-annotations-javadoc-2.18.8-160000.1.1

jackson-core-2.18.8-160000.1.1

jackson-core-javadoc-2.18.8-160000.1.1

jackson-databind-2.18.8-160000.1.1

jackson-databind-javadoc-2.18.8-160000.1.1

References

* bsc#1268603

* bsc#1268897

* bsc#1268898

* bsc#1268899

* bsc#1268902

References:

* https://www.suse.com/security/cve/CVE-2026-54512.html

* https://www.suse.com/security/cve/CVE-2026-54513.html

* https://www.suse.com/security/cve/CVE-2026-54514.html

* https://www.suse.com/security/cve/CVE-2026-54515.html

Severity
important
Lowest
Low
Medium
High
Critical

Announcement ID: openSUSE-SU-2026:21201-1
Rating: important
Affected Products: openSUSE Leap 16.0 -------------------------------------------------------------

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here