## This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues * CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows arbitrary class instantiation (bsc#1268897). * CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898). * CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899). * CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties (bsc#1268902). * document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603). Changes for jackson-annotations: * Update to 2.18.8 * No changes since 2.17.3
* bsc#1268603
* bsc#1268897
* bsc#1268898
* bsc#1268899
* bsc#1268902
Cross-
* CVE-2026-54512
* CVE-2026-54513
* CVE-2026-54514
* CVE-2026-54515
CVSS scores:
* CVE-2026-54512 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54512 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54513 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54513 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54513 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-54514 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-54515 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Get the latest Linux and open source security news straight to your inbox.