SUSE-SU-2026:22504-1: important: Security update for jackson-annotations, jackson-core, jackson-databind

SLE-UPDATES null at suse.de
Mon Jul 6 16:31:27 UTC 2026


# Security update for jackson-annotations, jackson-core, jackson-databind

Announcement ID: SUSE-SU-2026:22504-1  
Release Date: 2026-07-01T09:06:57Z  
Rating: important  
References:

  * bsc#1268603
  * bsc#1268897
  * bsc#1268898
  * bsc#1268899
  * bsc#1268902

  
Cross-References:

  * CVE-2026-54512
  * CVE-2026-54513
  * CVE-2026-54514
  * CVE-2026-54515

  
CVSS scores:

  * CVE-2026-54512 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-54512 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-54513 ( SUSE ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-54513 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-54513 ( NVD ):  8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
  * CVE-2026-54514 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-54514 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
  * CVE-2026-54515 ( SUSE ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
  * CVE-2026-54515 ( NVD ):  5.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

  
Affected Products:

  * SUSE Linux Enterprise Server 16.0
  * SUSE Linux Enterprise Server for SAP applications 16.0

  
  
An update that solves four vulnerabilities and has one fix can now be installed.

## Description:

This update for jackson-annotations, jackson-core, jackson-databind fixes the
following issues

  * CVE-2026-54512: jackson-databind has a PolymorphicTypeValidator bypass via
    generic type parameters that allows arbitrary class instantiation
    (bsc#1268897).
  * CVE-2026-54513: jackson-databind has an array subtype allowlist bypass in
    BasicPolymorphicTypeValidator (bsc#1268898).
  * CVE-2026-54514: InetSocketAddress deserialization triggers eager DNS
    resolution (bsc#1268899).
  * CVE-2026-54515: jackson-databind has case-insensitive deserialization
    bypasses per-property @JsonIgnoreProperties (bsc#1268902).
  * document length constraint bypass in blocking, async, and DataInput parsers
    (bsc#1268603).

Changes for jackson-annotations:

  * Update to 2.18.8
  * No changes since 2.17.3

Changes for jackson-core:

  * Update to 2.18.8
  * Changes of 2.18.8
  * # 1611: Apply number-length validator on streaming integer path

of async parser

  * Changes of 2.18.7
  * # 1570: Fail parsing from 'DataInput' if 'StreamReadConstraints

.getMaxDocumentLength()' set (bsc#1268603, GHSA-2m67-wjpj-xhg9)

  * # 1600: Rework 3rd party licenses in jar

  * # 1602: 'UTF8DataInputJsonParser' needs to enforce

'StreamReadConstraints.maxNameLength' limit

  * Changes of 2.18.6
  * # 1512: Number-parsing fix for 'UTF8DataInputJsonParser'

  * # 1548: 'StreamReadConstraints.maxDocumentLength' not checked

when creating parser with fixed buffer

  * # 1555: Enforce 'StreamReadConstraints.maxNumberLength' for

non-blocking (async) parser

  * Changes of 2.18.5
  * # 1433: 'JsonParser#getNumberType()' throws

'JsonParseException' when the current token is non-numeric instead of returning
null

  * # 1446: Invalid package reference to "java.lang.foreign" from

'com.fasterxml.jackson.core:jackson-core' (from 'FastDoubleParser')

  * Changes of 2.18.3
  * # 1391: Fix issue where the parser can read back old number

state when parsing later numbers

  * # 1397: Jackson changes additional values to infinite in case

of special JSON structures and existing infinite values

  * # 1398: Fix issue that feature

COMBINE_UNICODE_SURROGATES_IN_UTF8 doesn't work when custom characterEscape is
used

  * Changes of 2.18.2
  * # 1359: Non-surrogate characters being incorrectly combined

when 'JsonWriteFeature.COMBINE_UNICODE_SURROGATES_IN_UTF8' is enabled

  * Changes of 2.18.1
  * # 1353: Use fastdoubleparser 1.0.90

  * Changes of 2.18.
  * # 223: 'UTF8JsonGenerator' writes supplementary characters as a

surrogate pair: should use 4-byte encoding

  * # 1230: Improve performance of 'float' and 'double' parsing

from 'TextBuffer'

  * # 1251: 'InternCache' replace synchronized with 'ReentrantLock'

  * the cache size limit is no longer strictly enforced for performance reasons
    but we should never go far about the limit
  * # 1252: 'ThreadLocalBufferManager' replace synchronized with

'ReentrantLock'

  * # 1257: Increase InternCache default max size from 100 to 200

  * # 1262: Add diagnostic method 'pooledCount()' in 'RecyclerPool'

  * # 1264: Rename shaded 'ch.randelshofer:fastdoubleparser'

classes to prevent use by downstream consumers

  * # 1271: Deprecate 'LockFreePool' implementation in 2.18 (remove

from 3.0)

  * # 1274: 'NUL'-corrupted keys, values on JSON serialization

  * # 1277: Add back Java 22 optimisation in FastDoubleParser

  * # 1284: Optimize 'JsonParser.getDoubleValue()/getFloatValue()

/getDecimalValue()' to avoid String allocation

  * # 1305: Make helper methods of 'WriterBasedJsonGenerator'

non-final to allow overriding

  * # 1310: Add new 'StreamReadConstraints' ('maxTokenCount') to

limit maximum number of Tokens allowed per document#

  * # 1331: Update to FastDoubleParser v1.0.1 to fix 'BigDecimal'

decoding proble

Changes for jackson-databind:

  * Update to 2.18.8
  * Changes of 2.18.8
  * # 5950: Improve 'UUIDeserializer' error handling

  * # 5951: Improve 'InetSocketAddress' deserialization

(bsc#1268899, CVE-2026-54514)

  * # 5969: '@JsonView' by-passed for some "setterless" creator

properties

  * # 5971: '@JsonView' by-passed for unwrapped creator parameters

  * # 5974: '@JsonIgnore' on Record property ignored with

'PropertyNamingStrategy'

  * # 5981: 'BasicPolymorphicTypeValidator' setting

'allowIfSubTypeIsArray()' should validate element type (bsc#1268898,
CVE-2026-54513)

  * # 5988: 'PolymorphicTypeValidator' needs to validate generic

type parameters too (bsc#1268897, CVE-2026-54512)

  * # 5993: 'UPPER_SNAKE_CASE' / 'LOWER_CASE' 'NamingStrategyImpls'

fold case using JVM default locale (Turkish-I bug)

  * Changes of 2.18.4
  * # 4628: '@JsonIgnore' and '@JsonProperty.access=READ_ONLY' on

Record property ignored for deserialization

  * # 5049: Duplicate creator property "b" (index 0 vs 1) on simple

java record

  * Changes of 2.18.3
  * # 4444: The 'KeyDeserializer' specified in the class with

'@JsonDeserialize(keyUsing = ...)' is overwritten by the 'KeyDeserializer'
specified in the 'ObjectMapper'.

  * # 4827: Subclassed Throwable deserialization fails since

v2.18.0 - no creator index for property 'cause'

  * # 4844: Fix wrapped array handling wrt 'null' by

'StdDeserializer'

  * # 4848: Avoid type pollution in 'StringCollectionDeserializer'

  * # 4860: 'ConstructorDetector.USE_PROPERTIES_BASED' does not

work with multiple constructors since 2.18

  * # 4878: When serializing a Map via

Converter(StdDelegatingSerializer), a NullPointerException is thrown due to
missing key serializer

  * # 4908: Deserialization behavior change with @JsonCreator and

@ConstructorProperties between 2.17 and 2.18

  * # 4917: 'BigDecimal' deserialization issue when using

'@JsonCreator'

  * # 4920: Creator properties are ignored on abstract types when

collecting bean properties, breaking AsExternalTypeDeserializer

  * # 4922: Failing '@JsonMerge' with a custom Map

  * # 4932: Conversion of 'MissingNode' throws

'JsonProcessingException'

  * Changes of 2.18.2
  * # 4733: Wrong serialization of Type Ids for certain types of

Enum values

  * # 4742: Deserialization with Builder, External type id,

'@JsonCreator' failing

  * # 4777: 'StdValueInstantiator.withArgsCreator' is now set for

creators with no arguments

  * # 4783 Possibly wrong behavior of @JsonMerge

  * # 4787: Wrong 'String.format()' in 'StdDelegatingDeserializer'

hides actual error

  * # 4788: 'EnumFeature.WRITE_ENUMS_TO_LOWERCASE' overrides

'@JsonProperty' values

  * # 4790: Fix '@JsonAnySetter' issue with "setter" method

(related to #4639)

  * # 4807: Improve 'FactoryBasedEnumDeserializer' to work better

with XML module

  * # 4810: Deserialization using '@JsonCreator' with renamed

property failing (since 2.18)

  * Changes of 2.18.1
  * # 4508: Deserialized JsonAnySetter field in Kotlin data class

is null

  * # 4639: @JsonAnySetter on field ignoring unrecognized

properties if they are declared before the last recognized properties in JSON

  * # 4718: Should not fail on trying to serialize

'java.time.DateTimeException'

  * # 4724: Deserialization behavior change with Records,

'@JsonCreator' and '@JsonValue' between 2.17 and 2.18

  * # 4727: Eclipse having issues due'module-info' class "lost" on

2.18.0 jars

  * # 4741: When 'Include.NON_DEFAULT' setting is used on POJO,

empty values are not included in json if default is 'null'

  * # 4749: Fixed a problem with

'StdDelegatingSerializer#serializeWithType' looking up the serializer with the
wrong argument

  * Changes of 2.18.0
  * # 562: Allow '@JsonAnySetter' to flow through Creators

  * # 806: Problem with 'NamingStrategy', creator methods with

implicit names

  * # 2977: Incompatible 'FAIL_ON_MISSING_PRIMITIVE_PROPERTIES' and

field level '@JsonProperty'

  * # 3120: Return 'ListIterator' from 'ArrayNode.elements()'

  * # 3241: 'constructorDetector' seems to invalidate

'defaultSetterInfo' for nullability

  * # 3439: Java Record '@JsonAnySetter' value is null after

deserialization

  * # 4085: '@JsonView' does not work on class-level for records

  * # 4119: Exception when deserialization uses a record with a

constructor property with 'access=READ_ONLY'

  * # 4356: 'BeanDeserializerModifier::updateBuilder()' doesn't

work for beans with Creator methods

  * # 4407: 'null' type id handling does not work with

'writeTypePrefix()'

  * # 4452: '@JsonProperty' not serializing field names properly on

'@JsonCreator' in Record

  * # 4453: Allow JSON Integer to deserialize into a single-arg

constructor of parameter type 'double'

  * # 4456: Rework locking in 'DeserializerCache'

  * # 4458: Rework synchronized block from 'BeanDeserializerBase'

  * # 4464: When 'Include.NON_DEFAULT' setting is used, 'isEmpty()'

method is not called on the serializer

  * # 4472: Rework synchronized block in 'TypeDeserializerBase'

  * # 4483: Remove 'final' on method BeanSerializer.serialize()

  * # 4515: Rewrite Bean Property Introspection logic in Jackson

2.x

  * # 4545: Unexpected deserialization behavior with

'@JsonCreator', '@JsonProperty' and javac '-parameters'

  * # 4570: Deprecate 'ObjectMapper.canDeserialize()'/'ObjectMapper

.canSerialize()'

  * # 4580: Add 'MapperFeature

.SORT_CREATOR_PROPERTIES_BY_DECLARATION_ORDER' to use Creator properties'
declaration order for sorting

  * # 4584: Provide extension point for detecting "primary"

Constructor for Kotlin (and similar) data classes

  * # 4602: Possible wrong use of _arrayDelegateDeserializer in

BeanDeserializerBase::deserializeFromObjectUsingNonDefault()

  * # 4617: Record property serialization order not preserved

  * # 4626: '@JsonIgnore' on Record property ignored for

deserialization, if there is getter override

  * # 4630: '@JsonIncludeProperties', '@JsonIgnoreProperties'

ignored when serializing Records, if there is getter override

  * # 4634: '@JsonAnySetter' not working when annotated on both

constructor parameter & field

  * # 4678: Java records don't serialize with 'MapperFeature

.REQUIRE_SETTERS_FOR_GETTERS'

  * # 4688: Should allow deserializing with no-arg

'@JsonCreator(mode = DELEGATING)'

  * # 4694: Deserializing 'BigDecimal' with large number of

decimals result in incorrect value

  * # 4699: Add extra 'writeNumber()' method in 'TokenBuffer'

  * # 4709: Add 'JacksonCollectors' with 'toArrayNode()'

implementation

  * Fix #5962: Case-insensitive deserialization may use wrong
    @JsonIgnoreProperties (bsc#1268902, CVE-2026-54515)

## Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like
YaST online_update or "zypper patch".  
Alternatively you can run the command listed for your product:

  * SUSE Linux Enterprise Server 16.0  
    zypper in -t patch SUSE-SLES-16.0-1124=1

  * SUSE Linux Enterprise Server for SAP applications 16.0  
    zypper in -t patch SUSE-SLES-16.0-1124=1

## Package List:

  * SUSE Linux Enterprise Server 16.0 (noarch)
    * jackson-core-2.18.8-160000.1.1
    * jackson-databind-javadoc-2.18.8-160000.1.1
    * jackson-databind-2.18.8-160000.1.1
    * jackson-annotations-2.18.8-160000.1.1
    * jackson-annotations-javadoc-2.18.8-160000.1.1
    * jackson-core-javadoc-2.18.8-160000.1.1
  * SUSE Linux Enterprise Server for SAP applications 16.0 (noarch)
    * jackson-core-2.18.8-160000.1.1
    * jackson-databind-javadoc-2.18.8-160000.1.1
    * jackson-databind-2.18.8-160000.1.1
    * jackson-annotations-2.18.8-160000.1.1
    * jackson-annotations-javadoc-2.18.8-160000.1.1
    * jackson-core-javadoc-2.18.8-160000.1.1

## References:

  * https://www.suse.com/security/cve/CVE-2026-54512.html
  * https://www.suse.com/security/cve/CVE-2026-54513.html
  * https://www.suse.com/security/cve/CVE-2026-54514.html
  * https://www.suse.com/security/cve/CVE-2026-54515.html
  * https://bugzilla.suse.com/show_bug.cgi?id=1268603
  * https://bugzilla.suse.com/show_bug.cgi?id=1268897
  * https://bugzilla.suse.com/show_bug.cgi?id=1268898
  * https://bugzilla.suse.com/show_bug.cgi?id=1268899
  * https://bugzilla.suse.com/show_bug.cgi?id=1268902

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.suse.com/pipermail/sle-updates/attachments/20260706/f2cb32e8/attachment.htm>


More information about the sle-updates mailing list