SUSE-SU-2026:22504-1
Vulnerability from csaf_suse - Published: 2026-07-01 08:56 - Updated: 2026-07-01 08:56Summary
Security update for jackson-annotations, jackson-core, jackson-databind
Severity
Important
Notes
Title of the patch: Security update for jackson-annotations, jackson-core, jackson-databind
Description of the patch: This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues
- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows
arbitrary class instantiation (bsc#1268897).
- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).
- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).
- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties
(bsc#1268902).
- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).
Changes for jackson-annotations:
- Update to 2.18.8
* No changes since 2.17.3
Changes for jackson-core:
- Update to 2.18.8
* Changes of 2.18.8
+ #1611: Apply number-length validator on streaming integer path
of async parser
* Changes of 2.18.7
+ #1570: Fail parsing from 'DataInput' if 'StreamReadConstraints
.getMaxDocumentLength()' set
(bsc#1268603, GHSA-2m67-wjpj-xhg9)
+ #1600: Rework 3rd party licenses in jar
+ #1602: 'UTF8DataInputJsonParser' needs to enforce
'StreamReadConstraints.maxNameLength' limit
* Changes of 2.18.6
+ #1512: Number-parsing fix for 'UTF8DataInputJsonParser'
+ #1548: 'StreamReadConstraints.maxDocumentLength' not checked
when creating parser with fixed buffer
+ #1555: Enforce 'StreamReadConstraints.maxNumberLength' for
non-blocking (async) parser
* Changes of 2.18.5
+ #1433: 'JsonParser#getNumberType()' throws
'JsonParseException' when the current token is non-numeric
instead of returning null
+ #1446: Invalid package reference to "java.lang.foreign" from
'com.fasterxml.jackson.core:jackson-core' (from
'FastDoubleParser')
* Changes of 2.18.3
+ #1391: Fix issue where the parser can read back old number
state when parsing later numbers
+ #1397: Jackson changes additional values to infinite in case
of special JSON structures and existing infinite values
+ #1398: Fix issue that feature
COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn't work when custom
characterEscape is used
* Changes of 2.18.2
+ #1359: Non-surrogate characters being incorrectly combined
when 'JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8' is
enabled
* Changes of 2.18.1
+ #1353: Use fastdoubleparser 1.0.90
* Changes of 2.18.
+ #223: 'UTF8JsonGenerator' writes supplementary characters as a
surrogate pair: should use 4-byte encoding
+ #1230: Improve performance of 'float' and 'double' parsing
from 'TextBuffer'
+ #1251: 'InternCache' replace synchronized with 'ReentrantLock'
- the cache size limit is no longer strictly enforced for
performance reasons but we should never go far about the limit
+ #1252: 'ThreadLocalBufferManager' replace synchronized with
'ReentrantLock'
+ #1257: Increase InternCache default max size from 100 to 200
+ #1262: Add diagnostic method 'pooledCount()' in 'RecyclerPool'
+ #1264: Rename shaded 'ch.randelshofer:fastdoubleparser'
classes to prevent use by downstream consumers
+ #1271: Deprecate 'LockFreePool' implementation in 2.18 (remove
from 3.0)
+ #1274: 'NUL'-corrupted keys, values on JSON serialization
+ #1277: Add back Java 22 optimisation in FastDoubleParser
+ #1284: Optimize 'JsonParser.getDoubleValue()/getFloatValue()
/getDecimalValue()' to avoid String allocation
+ #1305: Make helper methods of 'WriterBasedJsonGenerator'
non-final to allow overriding
+ #1310: Add new 'StreamReadConstraints' ('maxTokenCount') to
limit maximum number of Tokens allowed per document#
+ #1331: Update to FastDoubleParser v1.0.1 to fix 'BigDecimal'
decoding proble
Changes for jackson-databind:
- Update to 2.18.8
* Changes of 2.18.8
+ #5950: Improve 'UUIDeserializer' error handling
+ #5951: Improve 'InetSocketAddress' deserialization
(bsc#1268899, CVE-2026-54514)
+ #5969: '@JsonView' by-passed for some "setterless" creator
properties
+ #5971: '@JsonView' by-passed for unwrapped creator parameters
+ #5974: '@JsonIgnore' on Record property ignored with
'PropertyNamingStrategy'
+ #5981: 'BasicPolymorphicTypeValidator' setting
'allowIfSubTypeIsArray()' should validate element type
(bsc#1268898, CVE-2026-54513)
+ #5988: 'PolymorphicTypeValidator' needs to validate generic
type parameters too (bsc#1268897, CVE-2026-54512)
+ #5993: 'UPPER_SNAKE_CASE' / 'LOWER_CASE' 'NamingStrategyImpls'
fold case using JVM default locale (Turkish-I bug)
* Changes of 2.18.4
+ #4628: '@JsonIgnore' and '@JsonProperty.access=READ_ONLY' on
Record property ignored for deserialization
+ #5049: Duplicate creator property "b" (index 0 vs 1) on simple
java record
* Changes of 2.18.3
+ #4444: The 'KeyDeserializer' specified in the class with
'@JsonDeserialize(keyUsing = ...)' is overwritten by the
'KeyDeserializer' specified in the 'ObjectMapper'.
+ #4827: Subclassed Throwable deserialization fails since
v2.18.0 - no creator index for property 'cause'
+ #4844: Fix wrapped array handling wrt 'null' by
'StdDeserializer'
+ #4848: Avoid type pollution in 'StringCollectionDeserializer'
+ #4860: 'ConstructorDetector.USE_PROPERTIES_BASED' does not
work with multiple constructors since 2.18
+ #4878: When serializing a Map via
Converter(StdDelegatingSerializer), a NullPointerException is
thrown due to missing key serializer
+ #4908: Deserialization behavior change with @JsonCreator and
@ConstructorProperties between 2.17 and 2.18
+ #4917: 'BigDecimal' deserialization issue when using
'@JsonCreator'
+ #4920: Creator properties are ignored on abstract types when
collecting bean properties, breaking AsExternalTypeDeserializer
+ #4922: Failing '@JsonMerge' with a custom Map
+ #4932: Conversion of 'MissingNode' throws
'JsonProcessingException'
* Changes of 2.18.2
+ #4733: Wrong serialization of Type Ids for certain types of
Enum values
+ #4742: Deserialization with Builder, External type id,
'@JsonCreator' failing
+ #4777: 'StdValueInstantiator.withArgsCreator' is now set for
creators with no arguments
+ #4783 Possibly wrong behavior of @JsonMerge
+ #4787: Wrong 'String.format()' in 'StdDelegatingDeserializer'
hides actual error
+ #4788: 'EnumFeature.WRITE_ENUMS_TO_LOWERCASE' overrides
'@JsonProperty' values
+ #4790: Fix '@JsonAnySetter' issue with "setter" method
(related to #4639)
+ #4807: Improve 'FactoryBasedEnumDeserializer' to work better
with XML module
+ #4810: Deserialization using '@JsonCreator' with renamed
property failing (since 2.18)
* Changes of 2.18.1
+ #4508: Deserialized JsonAnySetter field in Kotlin data class
is null
+ #4639: @JsonAnySetter on field ignoring unrecognized
properties if they are declared before the last recognized
properties in JSON
+ #4718: Should not fail on trying to serialize
'java.time.DateTimeException'
+ #4724: Deserialization behavior change with Records,
'@JsonCreator' and '@JsonValue' between 2.17 and 2.18
+ #4727: Eclipse having issues due'module-info' class "lost" on
2.18.0 jars
+ #4741: When 'Include.NON_DEFAULT' setting is used on POJO,
empty values are not included in json if default is 'null'
+ #4749: Fixed a problem with
'StdDelegatingSerializer#serializeWithType' looking up the
serializer with the wrong argument
* Changes of 2.18.0
+ #562: Allow '@JsonAnySetter' to flow through Creators
+ #806: Problem with 'NamingStrategy', creator methods with
implicit names
+ #2977: Incompatible 'FAIL_ON_MISSING_PRIMITIVE_PROPERTIES' and
field level '@JsonProperty'
+ #3120: Return 'ListIterator' from 'ArrayNode.elements()'
+ #3241: 'constructorDetector' seems to invalidate
'defaultSetterInfo' for nullability
+ #3439: Java Record '@JsonAnySetter' value is null after
deserialization
+ #4085: '@JsonView' does not work on class-level for records
+ #4119: Exception when deserialization uses a record with a
constructor property with 'access=READ_ONLY'
+ #4356: 'BeanDeserializerModifier::updateBuilder()' doesn't
work for beans with Creator methods
+ #4407: 'null' type id handling does not work with
'writeTypePrefix()'
+ #4452: '@JsonProperty' not serializing field names properly on
'@JsonCreator' in Record
+ #4453: Allow JSON Integer to deserialize into a single-arg
constructor of parameter type 'double'
+ #4456: Rework locking in 'DeserializerCache'
+ #4458: Rework synchronized block from 'BeanDeserializerBase'
+ #4464: When 'Include.NON_DEFAULT' setting is used, 'isEmpty()'
method is not called on the serializer
+ #4472: Rework synchronized block in 'TypeDeserializerBase'
+ #4483: Remove 'final' on method BeanSerializer.serialize()
+ #4515: Rewrite Bean Property Introspection logic in Jackson
2.x
+ #4545: Unexpected deserialization behavior with
'@JsonCreator', '@JsonProperty' and javac '-parameters'
+ #4570: Deprecate 'ObjectMapper.canDeserialize()'/'ObjectMapper
.canSerialize()'
+ #4580: Add 'MapperFeature
.SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER' to use Creator
properties' declaration order for sorting
+ #4584: Provide extension point for detecting "primary"
Constructor for Kotlin (and similar) data classes
+ #4602: Possible wrong use of _arrayDelegateDeserializer in
BeanDeserializerBase::deserializeFromObjectUsingNonDefault()
+ #4617: Record property serialization order not preserved
+ #4626: '@JsonIgnore' on Record property ignored for
deserialization, if there is getter override
+ #4630: '@JsonIncludeProperties', '@JsonIgnoreProperties'
ignored when serializing Records, if there is getter override
+ #4634: '@JsonAnySetter' not working when annotated on both
constructor parameter & field
+ #4678: Java records don't serialize with 'MapperFeature
.REQUIRE_SETTERS_FOR_GETTERS'
+ #4688: Should allow deserializing with no-arg
'@JsonCreator(mode = DELEGATING)'
+ #4694: Deserializing 'BigDecimal' with large number of
decimals result in incorrect value
+ #4699: Add extra 'writeNumber()' method in 'TokenBuffer'
+ #4709: Add 'JacksonCollectors' with 'toArrayNode()'
implementation
+ Fix #5962: Case-insensitive deserialization may use wrong
@JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)
Patchnames: SUSE-SLES-16.0-1124
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.1 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
5.3 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
5.3 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
References
21 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for jackson-annotations, jackson-core, jackson-databind",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for jackson-annotations, jackson-core, jackson-databind fixes the following issues\n\n- CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via generic type parameters that allows\n arbitrary class instantiation (bsc#1268897).\n- CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in BasicPolymorphicTypeValidator (bsc#1268898).\n- CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS resolution (bsc#1268899).\n- CVE-2026-54515: jackson-databind has case-insensitive deserialization bypasses per-property @JsonIgnoreProperties\n (bsc#1268902).\n- document length constraint bypass in blocking, async, and DataInput parsers (bsc#1268603).\n\nChanges for jackson-annotations:\n\n- Update to 2.18.8\n * No changes since 2.17.3\n\nChanges for jackson-core:\n\n- Update to 2.18.8\n * Changes of 2.18.8\n + #1611: Apply number-length validator on streaming integer path\n of async parser\n * Changes of 2.18.7\n + #1570: Fail parsing from \u0027DataInput\u0027 if \u0027StreamReadConstraints\n .getMaxDocumentLength()\u0027 set\n (bsc#1268603, GHSA-2m67-wjpj-xhg9)\n + #1600: Rework 3rd party licenses in jar\n + #1602: \u0027UTF8DataInputJsonParser\u0027 needs to enforce\n \u0027StreamReadConstraints.maxNameLength\u0027 limit\n * Changes of 2.18.6\n + #1512: Number-parsing fix for \u0027UTF8DataInputJsonParser\u0027\n + #1548: \u0027StreamReadConstraints.maxDocumentLength\u0027 not checked\n when creating parser with fixed buffer\n + #1555: Enforce \u0027StreamReadConstraints.maxNumberLength\u0027 for\n non-blocking (async) parser\n * Changes of 2.18.5\n + #1433: \u0027JsonParser#getNumberType()\u0027 throws\n \u0027JsonParseException\u0027 when the current token is non-numeric\n instead of returning null\n + #1446: Invalid package reference to \"java.lang.foreign\" from\n \u0027com.fasterxml.jackson.core:jackson-core\u0027 (from\n \u0027FastDoubleParser\u0027)\n * Changes of 2.18.3\n + #1391: Fix issue where the parser can read back old number\n state when parsing later numbers\n + #1397: Jackson changes additional values to infinite in case\n of special JSON structures and existing infinite values\n + #1398: Fix issue that feature\n COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn\u0027t work when custom\n characterEscape is used\n * Changes of 2.18.2\n + #1359: Non-surrogate characters being incorrectly combined\n when \u0027JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8\u0027 is\n enabled\n * Changes of 2.18.1\n + #1353: Use fastdoubleparser 1.0.90\n * Changes of 2.18.\n + #223: \u0027UTF8JsonGenerator\u0027 writes supplementary characters as a\n surrogate pair: should use 4-byte encoding\n + #1230: Improve performance of \u0027float\u0027 and \u0027double\u0027 parsing\n from \u0027TextBuffer\u0027\n + #1251: \u0027InternCache\u0027 replace synchronized with \u0027ReentrantLock\u0027\n - the cache size limit is no longer strictly enforced for\n performance reasons but we should never go far about the limit\n + #1252: \u0027ThreadLocalBufferManager\u0027 replace synchronized with\n \u0027ReentrantLock\u0027\n + #1257: Increase InternCache default max size from 100 to 200\n + #1262: Add diagnostic method \u0027pooledCount()\u0027 in \u0027RecyclerPool\u0027\n + #1264: Rename shaded \u0027ch.randelshofer:fastdoubleparser\u0027\n classes to prevent use by downstream consumers\n + #1271: Deprecate \u0027LockFreePool\u0027 implementation in 2.18 (remove\n from 3.0)\n + #1274: \u0027NUL\u0027-corrupted keys, values on JSON serialization\n + #1277: Add back Java 22 optimisation in FastDoubleParser\n + #1284: Optimize \u0027JsonParser.getDoubleValue()/getFloatValue()\n /getDecimalValue()\u0027 to avoid String allocation\n + #1305: Make helper methods of \u0027WriterBasedJsonGenerator\u0027\n non-final to allow overriding\n + #1310: Add new \u0027StreamReadConstraints\u0027 (\u0027maxTokenCount\u0027) to\n limit maximum number of Tokens allowed per document#\n + #1331: Update to FastDoubleParser v1.0.1 to fix \u0027BigDecimal\u0027\n decoding proble\n\nChanges for jackson-databind:\n\n- Update to 2.18.8\n * Changes of 2.18.8\n + #5950: Improve \u0027UUIDeserializer\u0027 error handling\n + #5951: Improve \u0027InetSocketAddress\u0027 deserialization\n (bsc#1268899, CVE-2026-54514)\n + #5969: \u0027@JsonView\u0027 by-passed for some \"setterless\" creator\n properties\n + #5971: \u0027@JsonView\u0027 by-passed for unwrapped creator parameters\n + #5974: \u0027@JsonIgnore\u0027 on Record property ignored with\n \u0027PropertyNamingStrategy\u0027\n + #5981: \u0027BasicPolymorphicTypeValidator\u0027 setting\n \u0027allowIfSubTypeIsArray()\u0027 should validate element type\n (bsc#1268898, CVE-2026-54513)\n + #5988: \u0027PolymorphicTypeValidator\u0027 needs to validate generic\n type parameters too (bsc#1268897, CVE-2026-54512)\n + #5993: \u0027UPPER_SNAKE_CASE\u0027 / \u0027LOWER_CASE\u0027 \u0027NamingStrategyImpls\u0027\n fold case using JVM default locale (Turkish-I bug)\n * Changes of 2.18.4\n + #4628: \u0027@JsonIgnore\u0027 and \u0027@JsonProperty.access=READ_ONLY\u0027 on\n Record property ignored for deserialization\n + #5049: Duplicate creator property \"b\" (index 0 vs 1) on simple\n java record\n * Changes of 2.18.3\n + #4444: The \u0027KeyDeserializer\u0027 specified in the class with\n \u0027@JsonDeserialize(keyUsing = ...)\u0027 is overwritten by the\n \u0027KeyDeserializer\u0027 specified in the \u0027ObjectMapper\u0027.\n + #4827: Subclassed Throwable deserialization fails since\n v2.18.0 - no creator index for property \u0027cause\u0027\n + #4844: Fix wrapped array handling wrt \u0027null\u0027 by\n \u0027StdDeserializer\u0027\n + #4848: Avoid type pollution in \u0027StringCollectionDeserializer\u0027\n + #4860: \u0027ConstructorDetector.USE_PROPERTIES_BASED\u0027 does not\n work with multiple constructors since 2.18\n + #4878: When serializing a Map via\n Converter(StdDelegatingSerializer), a NullPointerException is\n thrown due to missing key serializer\n + #4908: Deserialization behavior change with @JsonCreator and\n @ConstructorProperties between 2.17 and 2.18\n + #4917: \u0027BigDecimal\u0027 deserialization issue when using\n \u0027@JsonCreator\u0027\n + #4920: Creator properties are ignored on abstract types when\n collecting bean properties, breaking AsExternalTypeDeserializer\n + #4922: Failing \u0027@JsonMerge\u0027 with a custom Map\n + #4932: Conversion of \u0027MissingNode\u0027 throws\n \u0027JsonProcessingException\u0027\n * Changes of 2.18.2\n + #4733: Wrong serialization of Type Ids for certain types of\n Enum values\n + #4742: Deserialization with Builder, External type id,\n \u0027@JsonCreator\u0027 failing\n + #4777: \u0027StdValueInstantiator.withArgsCreator\u0027 is now set for\n creators with no arguments\n + #4783 Possibly wrong behavior of @JsonMerge\n + #4787: Wrong \u0027String.format()\u0027 in \u0027StdDelegatingDeserializer\u0027\n hides actual error\n + #4788: \u0027EnumFeature.WRITE_ENUMS_TO_LOWERCASE\u0027 overrides\n \u0027@JsonProperty\u0027 values\n + #4790: Fix \u0027@JsonAnySetter\u0027 issue with \"setter\" method\n (related to #4639)\n + #4807: Improve \u0027FactoryBasedEnumDeserializer\u0027 to work better\n with XML module\n + #4810: Deserialization using \u0027@JsonCreator\u0027 with renamed\n property failing (since 2.18)\n * Changes of 2.18.1\n + #4508: Deserialized JsonAnySetter field in Kotlin data class\n is null\n + #4639: @JsonAnySetter on field ignoring unrecognized\n properties if they are declared before the last recognized\n properties in JSON\n + #4718: Should not fail on trying to serialize\n \u0027java.time.DateTimeException\u0027\n + #4724: Deserialization behavior change with Records,\n \u0027@JsonCreator\u0027 and \u0027@JsonValue\u0027 between 2.17 and 2.18\n + #4727: Eclipse having issues due\u0027module-info\u0027 class \"lost\" on\n 2.18.0 jars\n + #4741: When \u0027Include.NON_DEFAULT\u0027 setting is used on POJO,\n empty values are not included in json if default is \u0027null\u0027\n + #4749: Fixed a problem with\n \u0027StdDelegatingSerializer#serializeWithType\u0027 looking up the\n serializer with the wrong argument\n * Changes of 2.18.0\n + #562: Allow \u0027@JsonAnySetter\u0027 to flow through Creators\n + #806: Problem with \u0027NamingStrategy\u0027, creator methods with\n implicit names\n + #2977: Incompatible \u0027FAIL_ON_MISSING_PRIMITIVE_PROPERTIES\u0027 and\n field level \u0027@JsonProperty\u0027\n + #3120: Return \u0027ListIterator\u0027 from \u0027ArrayNode.elements()\u0027\n + #3241: \u0027constructorDetector\u0027 seems to invalidate\n \u0027defaultSetterInfo\u0027 for nullability\n + #3439: Java Record \u0027@JsonAnySetter\u0027 value is null after\n deserialization\n + #4085: \u0027@JsonView\u0027 does not work on class-level for records\n + #4119: Exception when deserialization uses a record with a\n constructor property with \u0027access=READ_ONLY\u0027\n + #4356: \u0027BeanDeserializerModifier::updateBuilder()\u0027 doesn\u0027t\n work for beans with Creator methods\n + #4407: \u0027null\u0027 type id handling does not work with\n \u0027writeTypePrefix()\u0027\n + #4452: \u0027@JsonProperty\u0027 not serializing field names properly on\n \u0027@JsonCreator\u0027 in Record\n + #4453: Allow JSON Integer to deserialize into a single-arg\n constructor of parameter type \u0027double\u0027\n + #4456: Rework locking in \u0027DeserializerCache\u0027\n + #4458: Rework synchronized block from \u0027BeanDeserializerBase\u0027\n + #4464: When \u0027Include.NON_DEFAULT\u0027 setting is used, \u0027isEmpty()\u0027\n method is not called on the serializer\n + #4472: Rework synchronized block in \u0027TypeDeserializerBase\u0027\n + #4483: Remove \u0027final\u0027 on method BeanSerializer.serialize()\n + #4515: Rewrite Bean Property Introspection logic in Jackson\n 2.x\n + #4545: Unexpected deserialization behavior with\n \u0027@JsonCreator\u0027, \u0027@JsonProperty\u0027 and javac \u0027-parameters\u0027\n + #4570: Deprecate \u0027ObjectMapper.canDeserialize()\u0027/\u0027ObjectMapper\n .canSerialize()\u0027\n + #4580: Add \u0027MapperFeature\n .SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER\u0027 to use Creator\n properties\u0027 declaration order for sorting\n + #4584: Provide extension point for detecting \"primary\"\n Constructor for Kotlin (and similar) data classes\n + #4602: Possible wrong use of _arrayDelegateDeserializer in\n BeanDeserializerBase::deserializeFromObjectUsingNonDefault()\n + #4617: Record property serialization order not preserved\n + #4626: \u0027@JsonIgnore\u0027 on Record property ignored for\n deserialization, if there is getter override\n + #4630: \u0027@JsonIncludeProperties\u0027, \u0027@JsonIgnoreProperties\u0027\n ignored when serializing Records, if there is getter override\n + #4634: \u0027@JsonAnySetter\u0027 not working when annotated on both\n constructor parameter \u0026 field\n + #4678: Java records don\u0027t serialize with \u0027MapperFeature\n .REQUIRE_SETTERS_FOR_GETTERS\u0027\n + #4688: Should allow deserializing with no-arg\n \u0027@JsonCreator(mode = DELEGATING)\u0027\n + #4694: Deserializing \u0027BigDecimal\u0027 with large number of\n decimals result in incorrect value\n + #4699: Add extra \u0027writeNumber()\u0027 method in \u0027TokenBuffer\u0027\n + #4709: Add \u0027JacksonCollectors\u0027 with \u0027toArrayNode()\u0027\n implementation\n + Fix #5962: Case-insensitive deserialization may use wrong\n @JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-1124",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_22504-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:22504-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202622504-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:22504-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-July/048006.html"
},
{
"category": "self",
"summary": "SUSE Bug 1268603",
"url": "https://bugzilla.suse.com/1268603"
},
{
"category": "self",
"summary": "SUSE Bug 1268897",
"url": "https://bugzilla.suse.com/1268897"
},
{
"category": "self",
"summary": "SUSE Bug 1268898",
"url": "https://bugzilla.suse.com/1268898"
},
{
"category": "self",
"summary": "SUSE Bug 1268899",
"url": "https://bugzilla.suse.com/1268899"
},
{
"category": "self",
"summary": "SUSE Bug 1268902",
"url": "https://bugzilla.suse.com/1268902"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54512 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54512/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54513 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54513/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54514 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54514/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-54515 page",
"url": "https://www.suse.com/security/cve/CVE-2026-54515/"
}
],
"title": "Security update for jackson-annotations, jackson-core, jackson-databind",
"tracking": {
"current_release_date": "2026-07-01T08:56:00Z",
"generator": {
"date": "2026-07-01T08:56:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:22504-1",
"initial_release_date": "2026-07-01T08:56:00Z",
"revision_history": [
{
"date": "2026-07-01T08:56:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "jackson-annotations-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch",
"product_id": "jackson-annotations-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-core-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-core-2.18.8-160000.1.1.noarch",
"product_id": "jackson-core-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-core-javadoc-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-databind-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch",
"product_id": "jackson-databind-2.18.8-160000.1.1.noarch"
}
},
{
"category": "product_version",
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"product": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"product_id": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-core-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
},
"product_reference": "jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-54512",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54512"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, jackson-databind\u0027s PolymorphicTypeValidator (PTV) is the primary safety mechanism guarding polymorphic deserialization. When polymorphic typing is enabled and a type identifier contains generic parameters (i.e. the type ID string contains \u003c), DatabindContext._resolveAndValidateGeneric() validates only the raw container class name (the substring before \u003c) against the configured PTV. If the container type is approved, the method parses the full canonical type string via TypeFactory.constructFromCanonical() and returns the fully parameterized type without ever validating the nested type arguments against the PTV. The nested type arguments are then resolved, instantiated, and populated as beans during deserialization. An attacker who controls the type ID can therefore place a denied class as a generic type parameter of an allowed container - for example java.util.ArrayList\u003ccom.evil.Gadget\u003e when only java.util.ArrayList is allow-listed. The container passes the PTV check; com.evil.Gadget is loaded via Class.forName(name, true, loader), instantiated, and its properties are set from attacker-controlled JSON. This completely bypasses an explicitly configured PTV allow-list. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54512",
"url": "https://www.suse.com/security/cve/CVE-2026-54512"
},
{
"category": "external",
"summary": "SUSE Bug 1268897 for CVE-2026-54512",
"url": "https://bugzilla.suse.com/1268897"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "important"
}
],
"title": "CVE-2026-54512"
},
{
"cve": "CVE-2026-54513",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54513"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.10.0 until 2.18.8, 2.21.4, and 3.1.4, BasicPolymorphicTypeValidator.Builder.allowIfSubTypeIsArray() allowlists any array type based only on clazz.isArray(), without validating the array\u0027s component (element) type against the configured allowlist. A PTV built with allowIfSubTypeIsArray() plus an explicit concrete-type allowlist therefore still permits EvilType[] even though EvilType is not allowlisted. When Jackson deserializes the elements and no per-element type IDs are present, it instantiates the component type directly with no further PTV check, bypassing the allowlist. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54513",
"url": "https://www.suse.com/security/cve/CVE-2026-54513"
},
{
"category": "external",
"summary": "SUSE Bug 1268898 for CVE-2026-54513",
"url": "https://bugzilla.suse.com/1268898"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "important"
}
],
"title": "CVE-2026-54513"
},
{
"cve": "CVE-2026-54514",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54514"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.0.0 until 2.18.8, 2.21.4, and 3.1.4, JDKFromStringDeserializer constructed InetSocketAddress with new InetSocketAddress(host, port), which performs eager DNS name resolution for hostname inputs at deserialization time. An application that binds untrusted JSON into a type containing an InetSocketAddress field issues an attacker-chosen DNS query during readValue, before any application-level validation or connect logic. The fix uses InetSocketAddress.createUnresolved(host, port), deferring DNS to an explicit connect. This vulnerability is fixed in 2.18.8, 2.21.4, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54514",
"url": "https://www.suse.com/security/cve/CVE-2026-54514"
},
{
"category": "external",
"summary": "SUSE Bug 1268899 for CVE-2026-54514",
"url": "https://bugzilla.suse.com/1268899"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54514"
},
{
"cve": "CVE-2026-54515",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-54515"
}
],
"notes": [
{
"category": "general",
"text": "jackson-databind contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. From 2.8.0 until 2.18.9, 2.21.5, and 3.1.4, in BeanDeserializerBase.createContextual(), per-property @JsonIgnoreProperties exclusions are applied by _handleByNameInclusion(), producing a contextual deserializer whose BeanPropertyMap has the ignored properties removed. The subsequent per-property case-insensitivity block (triggered by @JsonFormat(ACCEPT_CASE_INSENSITIVE_PROPERTIES)) rebuilds from this._beanProperties (the original, unfiltered map) instead of contextual._beanProperties, then overwrites the filtered map - restoring every property _handleByNameInclusion had just removed. The ignored property becomes writable again. This vulnerability is fixed in 2.18.9, 2.21.5, and 3.1.4.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-54515",
"url": "https://www.suse.com/security/cve/CVE-2026-54515"
},
{
"category": "external",
"summary": "SUSE Bug 1268902 for CVE-2026-54515",
"url": "https://bugzilla.suse.com/1268902"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-annotations-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-core-javadoc-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-2.18.8-160000.1.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:jackson-databind-javadoc-2.18.8-160000.1.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-07-01T08:56:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-54515"
}
]
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…