Bug 2431998 (CVE-2026-1225) - CVE-2026-1225 ch.qos.logback/logback-core: Malicious logback.xml configuration file allows instantiation of arbitrary classes
Summary: CVE-2026-1225 ch.qos.logback/logback-core: Malicious logback.xml configuratio...
Keywords:
Status: NEW
Alias: CVE-2026-1225
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2433454 2433455 2433456 2433457 2433458 2433459 2433460
Blocks:
TreeView+ depends on / blocked
 
Reported: 2026-01-22 10:01 UTC by OSIDB Bzimport
Modified: 2026-02-18 08:29 UTC (History)
79 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2026-01-22 10:01:36 UTC 
ACE vulnerability in configuration file processing  by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.




The instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must  have write access to a 
configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.
Note You need to log in before you can comment on or make changes to this bug.