This vulnerability in Cista v0.15 and below involves insecure deserialization that allows leaking of memory addresses due to insufficient validation of pointer-like classes in the cista::raw namespace. Specifically, Cista does not properly safeguard against self-referencing pointers or references to other data within the deserialized payload, enabling attackers to obtain stack or heap addresses. Such information can be used to bypass ASLR protections. The vulnerability is identified as CWE-502 (Deserialization of Untrusted Data) and has a CVSS 3.1 base score of 5.3, indicating medium severity. There is no known exploit in the wild and no official remediation or patch has been provided as of the published date.

Successful exploitation can lead to leakage of stack or heap memory addresses, which may assist attackers in bypassing ASLR. This does not directly lead to code execution or data modification but reduces the effectiveness of memory protection mechanisms, potentially facilitating further attacks.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should avoid deserializing untrusted input with affected versions of Cista or implement additional application-level checks to prevent processing untrusted data. Monitor vendor channels for updates.