Invoking overridable methods from the readObject() method can allow the overriding method to read the state of the subclass before it is fully constructed, since the base class is deserialized first, followed by the subclass. Therefore readObject() must not call any overridable methods.
Also see the related guideline rule MET07-J. Do not invoke overridable methods in clone().
...
Search for vulnerabilities resulting from the violation of this guideline rule on the CERT website.
Bibliography
...