CVE Catalog

CVE-2026-47065

CriticalCVSS 9.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.47%

37th percentile — higher than 37% of all known CVEs

Summary

Vulnerabilities ZDRES-232 and ZDRES-233 in the library allow bypassing the accepted classes filter via java.lang.reflect.Proxy and triggering static initializers of allow-listed classes before instance creation. An attacker can remotely execute code or cause unwanted side effects.

Risk Assessment

The risk involves bypassing deserialization security mechanisms, potentially leading to remote code execution (RCE) or uncontrolled static initializer execution, which may destabilize the system.

Recommendation

Immediately update the library to a version where both vulnerabilities are fixed. If an update is not possible, temporarily disable deserialization of untrusted data or apply additional filters.

Original NVD description (English source)

ZDRES-232: resolveProxyClass Not Overridden - acceptMatchers Filter Bypass via java.lang.reflect.Proxy Assessment: Fully addressed. When the serialised stream contains a TC_PROXYCLASSDESC (the marker for a java.lang.reflect.Proxy ), JDK’s ObjectInputStream.readProxyDesc() is dispatched. JDK then calls the default ObjectInputStream.resolveProxyClass(interfaces) implementation, which performs Class.forName(intf, false, latestUserDefinedLoader()) for EACH interface name and constructs the proxy class — bypassing the accepted classes list . ZDRES-233: Class.forName(name, initialize=true, classLoader) in readClassDescriptor Triggers Static Initialiser of Allow-Listed Classes Assessment: Fully addressed. For ANY class on the allow-list, deserialising a stream that names it triggers the class’s (static initialiser) BEFORE any instance is constructed. This means an attacker who supplies a class name on the allow-list (e.g., the developer wrote accept(“com.myapp.*") , attacker supplies com.myapp.SomeClass ) causes <clinit> of SomeClass — and many real-world classes have side-effecting static initialisers Both issues have been fixed.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS