SUSE-SU-2026:22504-1: important: Security update for jackson-annotations, jackson-core, jackson-databind
SLE-SECURITY-UPDATES
null at suse.de
Mon Jul 6 16:31:28 UTC 2026
# Security update for jackson-annotations, jackson-core, jackson-databind
Announcement ID: SUSE-SU-2026:22504-1
Release Date: 2026-07-01T09:06:57Z
Rating: important
References:
* bsc#1268603
* bsc#1268897
* bsc#1268898
* bsc#1268899
* bsc#1268902
Cross-References:
* CVE-2026-54512
* CVE-2026-54513
* CVE-2026-54514
* CVE-2026-54515
CVSS scores:
* CVE-2026-54512 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54512 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54513 ( SUSE ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54513 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54513 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
* CVE-2026-54514 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-54514 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
* CVE-2026-54515 ( SUSE ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
* CVE-2026-54515 ( NVD ): 5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
Affected Products:
* SUSE Linux Enterprise Server 16.0
* SUSE Linux Enterprise Server for SAP applications 16.0
An update that solves four vulnerabilities and has one fix can now be installed.
## Description:
This update for jackson-annotations, jackson-core, jackson-databind fixes the
following issues
* CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via
generic type parameters that allows arbitrary class instantiation
(bsc#1268897).
* CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in
BasicPolymorphicTypeValidator (bsc#1268898).
* CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS
resolution (bsc#1268899).
* CVE-2026-54515: jackson-databind has case-insensitive deserialization
bypasses per-property @JsonIgnoreProperties (bsc#1268902).
* document length constraint bypass in blocking, async, and DataInput parsers
(bsc#1268603).
Changes for jackson-annotations:
* Update to 2.18.8
* No changes since 2.17.3
Changes for jackson-core:
* Update to 2.18.8
* Changes of 2.18.8
* # 1611: Apply number-length validator on streaming integer path
of async parser
* Changes of 2.18.7
* # 1570: Fail parsing from 'DataInput' if 'StreamReadConstraints
.getMaxDocumentLength()' set (bsc#1268603, GHSA-2m67-wjpj-xhg9)
* # 1600: Rework 3rd party licenses in jar
* # 1602: 'UTF8DataInputJsonParser' needs to enforce
'StreamReadConstraints.maxNameLength' limit
* Changes of 2.18.6
* # 1512: Number-parsing fix for 'UTF8DataInputJsonParser'
* # 1548: 'StreamReadConstraints.maxDocumentLength' not checked
when creating parser with fixed buffer
* # 1555: Enforce 'StreamReadConstraints.maxNumberLength' for
non-blocking (async) parser
* Changes of 2.18.5
* # 1433: 'JsonParser#getNumberType()' throws
'JsonParseException' when the current token is non-numeric instead of returning
null
* # 1446: Invalid package reference to "java.lang.foreign" from
'com.fasterxml.jackson.core:jackson-core' (from 'FastDoubleParser')
* Changes of 2.18.3
* # 1391: Fix issue where the parser can read back old number
state when parsing later numbers
* # 1397: Jackson changes additional values to infinite in case
of special JSON structures and existing infinite values
* # 1398: Fix issue that feature
COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn't work when custom characterEscape is
used
* Changes of 2.18.2
* # 1359: Non-surrogate characters being incorrectly combined
when 'JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8' is enabled
* Changes of 2.18.1
* # 1353: Use fastdoubleparser 1.0.90
* Changes of 2.18.
* # 223: 'UTF8JsonGenerator' writes supplementary characters as a
surrogate pair: should use 4-byte encoding
* # 1230: Improve performance of 'float' and 'double' parsing
from 'TextBuffer'
* # 1251: 'InternCache' replace synchronized with 'ReentrantLock'
* the cache size limit is no longer strictly enforced for performance reasons
but we should never go far about the limit
* # 1252: 'ThreadLocalBufferManager' replace synchronized with
'ReentrantLock'
* # 1257: Increase InternCache default max size from 100 to 200
* # 1262: Add diagnostic method 'pooledCount()' in 'RecyclerPool'
* # 1264: Rename shaded 'ch.randelshofer:fastdoubleparser'
classes to prevent use by downstream consumers
* # 1271: Deprecate 'LockFreePool' implementation in 2.18 (remove
from 3.0)
* # 1274: 'NUL'-corrupted keys, values on JSON serialization
* # 1277: Add back Java 22 optimisation in FastDoubleParser
* # 1284: Optimize 'JsonParser.getDoubleValue()/getFloatValue()
/getDecimalValue()' to avoid String allocation
* # 1305: Make helper methods of 'WriterBasedJsonGenerator'
non-final to allow overriding
* # 1310: Add new 'StreamReadConstraints' ('maxTokenCount') to
limit maximum number of Tokens allowed per document#
* # 1331: Update to FastDoubleParser v1.0.1 to fix 'BigDecimal'
decoding proble
Changes for jackson-databind:
* Update to 2.18.8
* Changes of 2.18.8
* # 5950: Improve 'UUIDeserializer' error handling
* # 5951: Improve 'InetSocketAddress' deserialization
(bsc#1268899, CVE-2026-54514)
* # 5969: '@JsonView' by-passed for some "setterless" creator
properties
* # 5971: '@JsonView' by-passed for unwrapped creator parameters
* # 5974: '@JsonIgnore' on Record property ignored with
'PropertyNamingStrategy'
* # 5981: 'BasicPolymorphicTypeValidator' setting
'allowIfSubTypeIsArray()' should validate element type (bsc#1268898,
CVE-2026-54513)
* # 5988: 'PolymorphicTypeValidator' needs to validate generic
type parameters too (bsc#1268897, CVE-2026-54512)
* # 5993: 'UPPER_SNAKE_CASE' / 'LOWER_CASE' 'NamingStrategyImpls'
fold case using JVM default locale (Turkish-I bug)
* Changes of 2.18.4
* # 4628: '@JsonIgnore' and '@JsonProperty.access=READ_ONLY' on
Record property ignored for deserialization
* # 5049: Duplicate creator property "b" (index 0 vs 1) on simple
java record
* Changes of 2.18.3
* # 4444: The 'KeyDeserializer' specified in the class with
'@JsonDeserialize(keyUsing = ...)' is overwritten by the 'KeyDeserializer'
specified in the 'ObjectMapper'.
* # 4827: Subclassed Throwable deserialization fails since
v2.18.0 - no creator index for property 'cause'
* # 4844: Fix wrapped array handling wrt 'null' by
'StdDeserializer'
* # 4848: Avoid type pollution in 'StringCollectionDeserializer'
* # 4860: 'ConstructorDetector.USE_PROPERTIES_BASED' does not
work with multiple constructors since 2.18
* # 4878: When serializing a Map via
Converter(StdDelegatingSerializer), a NullPointerException is thrown due to
missing key serializer
* # 4908: Deserialization behavior change with @JsonCreator and
@ConstructorProperties between 2.17 and 2.18
* # 4917: 'BigDecimal' deserialization issue when using
'@JsonCreator'
* # 4920: Creator properties are ignored on abstract types when
collecting bean properties, breaking AsExternalTypeDeserializer
* # 4922: Failing '@JsonMerge' with a custom Map
* # 4932: Conversion of 'MissingNode' throws
'JsonProcessingException'
* Changes of 2.18.2
* # 4733: Wrong serialization of Type Ids for certain types of
Enum values
* # 4742: Deserialization with Builder, External type id,
'@JsonCreator' failing
* # 4777: 'StdValueInstantiator.withArgsCreator' is now set for
creators with no arguments
* # 4783 Possibly wrong behavior of @JsonMerge
* # 4787: Wrong 'String.format()' in 'StdDelegatingDeserializer'
hides actual error
* # 4788: 'EnumFeature.WRITE_ENUMS_TO_LOWERCASE' overrides
'@JsonProperty' values
* # 4790: Fix '@JsonAnySetter' issue with "setter" method
(related to #4639)
* # 4807: Improve 'FactoryBasedEnumDeserializer' to work better
with XML module
* # 4810: Deserialization using '@JsonCreator' with renamed
property failing (since 2.18)
* Changes of 2.18.1
* # 4508: Deserialized JsonAnySetter field in Kotlin data class
is null
* # 4639: @JsonAnySetter on field ignoring unrecognized
properties if they are declared before the last recognized properties in JSON
* # 4718: Should not fail on trying to serialize
'java.time.DateTimeException'
* # 4724: Deserialization behavior change with Records,
'@JsonCreator' and '@JsonValue' between 2.17 and 2.18
* # 4727: Eclipse having issues due'module-info' class "lost" on
2.18.0 jars
* # 4741: When 'Include.NON_DEFAULT' setting is used on POJO,
empty values are not included in json if default is 'null'
* # 4749: Fixed a problem with
'StdDelegatingSerializer#serializeWithType' looking up the serializer with the
wrong argument
* Changes of 2.18.0
* # 562: Allow '@JsonAnySetter' to flow through Creators
* # 806: Problem with 'NamingStrategy', creator methods with
implicit names
* # 2977: Incompatible 'FAIL_ON_MISSING_PRIMITIVE_PROPERTIES' and
field level '@JsonProperty'
* # 3120: Return 'ListIterator' from 'ArrayNode.elements()'
* # 3241: 'constructorDetector' seems to invalidate
'defaultSetterInfo' for nullability
* # 3439: Java Record '@JsonAnySetter' value is null after
deserialization
* # 4085: '@JsonView' does not work on class-level for records
* # 4119: Exception when deserialization uses a record with a
constructor property with 'access=READ_ONLY'
* # 4356: 'BeanDeserializerModifier::updateBuilder()' doesn't
work for beans with Creator methods
* # 4407: 'null' type id handling does not work with
'writeTypePrefix()'
* # 4452: '@JsonProperty' not serializing field names properly on
'@JsonCreator' in Record
* # 4453: Allow JSON Integer to deserialize into a single-arg
constructor of parameter type 'double'
* # 4456: Rework locking in 'DeserializerCache'
* # 4458: Rework synchronized block from 'BeanDeserializerBase'
* # 4464: When 'Include.NON_DEFAULT' setting is used, 'isEmpty()'
method is not called on the serializer
* # 4472: Rework synchronized block in 'TypeDeserializerBase'
* # 4483: Remove 'final' on method BeanSerializer.serialize()
* # 4515: Rewrite Bean Property Introspection logic in Jackson
2.x
* # 4545: Unexpected deserialization behavior with
'@JsonCreator', '@JsonProperty' and javac '-parameters'
* # 4570: Deprecate 'ObjectMapper.canDeserialize()'/'ObjectMapper
.canSerialize()'
* # 4580: Add 'MapperFeature
.SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER' to use Creator properties'
declaration order for sorting
* # 4584: Provide extension point for detecting "primary"
Constructor for Kotlin (and similar) data classes
* # 4602: Possible wrong use of _arrayDelegateDeserializer in
BeanDeserializerBase::deserializeFromObjectUsingNonDefault()
* # 4617: Record property serialization order not preserved
* # 4626: '@JsonIgnore' on Record property ignored for
deserialization, if there is getter override
* # 4630: '@JsonIncludeProperties', '@JsonIgnoreProperties'
ignored when serializing Records, if there is getter override
* # 4634: '@JsonAnySetter' not working when annotated on both
constructor parameter & field
* # 4678: Java records don't serialize with 'MapperFeature
.REQUIRE_SETTERS_FOR_GETTERS'
* # 4688: Should allow deserializing with no-arg
'@JsonCreator(mode = DELEGATING)'
* # 4694: Deserializing 'BigDecimal' with large number of
decimals result in incorrect value
* # 4699: Add extra 'writeNumber()' method in 'TokenBuffer'
* # 4709: Add 'JacksonCollectors' with 'toArrayNode()'
implementation
* Fix #5962: Case-insensitive deserialization may use wrong
@JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)
## Patch Instructions:
To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:
* SUSE Linux Enterprise Server 16.0
zypper in -t patch SUSE-SLES-16.0-1124=1
* SUSE Linux Enterprise Server for SAP applications 16.0
zypper in -t patch SUSE-SLES-16.0-1124=1
## Package List:
* SUSE Linux Enterprise Server 16.0 (noarch)
* jackson-core-2.18.8-160000.1.1
* jackson-databind-javadoc-2.18.8-160000.1.1
* jackson-databind-2.18.8-160000.1.1
* jackson-annotations-2.18.8-160000.1.1
* jackson-annotations-javadoc-2.18.8-160000.1.1
* jackson-core-javadoc-2.18.8-160000.1.1
* SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
* jackson-core-2.18.8-160000.1.1
* jackson-databind-javadoc-2.18.8-160000.1.1
* jackson-databind-2.18.8-160000.1.1
* jackson-annotations-2.18.8-160000.1.1
* jackson-annotations-javadoc-2.18.8-160000.1.1
* jackson-core-javadoc-2.18.8-160000.1.1
## References:
* https://www.suse.com/security/cve/CVE-2026-54512.html
* https://www.suse.com/security/cve/CVE-2026-54513.html
* https://www.suse.com/security/cve/CVE-2026-54514.html
* https://www.suse.com/security/cve/CVE-2026-54515.html
* https://bugzilla.suse.com/show_bug.cgi?id=1268603
* https://bugzilla.suse.com/show_bug.cgi?id=1268897
* https://bugzilla.suse.com/show_bug.cgi?id=1268898
* https://bugzilla.suse.com/show_bug.cgi?id=1268899
* https://bugzilla.suse.com/show_bug.cgi?id=1268902
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-security-updates/attachments/20260706/e9c26c40/attachment.htm>
More information about the sle-security-updates
mailing list