Description
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.

Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Immediate Patch
AI Analysis

Impact

Sereal::Decoder embeds an older Zstandard library that is vulnerable to a race condition in its one-pass compression functions. The flaw can cause out-of-bounds writes when an output buffer smaller than recommended is used, potentially allowing an attacker to corrupt memory and execute arbitrary code. This weakness is reflected in CWE‑1395 and CWE‑787, indicating a race condition leading to an out-of-bounds write.

Affected Systems

Sereal::Decoder versions 4.000 through 4.009_002 for Perl, distributed by vendor Yves. Any Perl environment that imports this decoder in those versions is potentially affected. Upgrading to version 4.010 or later removes the vulnerable Zstandard code.

Risk and Exploitability

The CVSS score of 8.1 indicates a high severity, while the EPSS score of less than 1% suggests exploitation is currently unlikely. The vulnerability is not listed in the CISA KEV catalog. Because the defect resides in a library used during decoding, a potential attacker could supply crafted data to trigger the race condition, which would likely require some level of code execution or memory corruption on the target system. The attack vector is inferred to be remote if the decoder processes untrusted data, otherwise it may be local if only trusted data is decoded.

Generated by OpenCVE AI on April 13, 2026 at 16:08 UTC.

Remediation

Vendor Solution

Upgrade to Sereal::Decoder version 4.010 or later.

OpenCVE Recommended Actions

  • Upgrade Sereal::Decoder to version 4.010 or later.
  • Verify that no older versions of Sereal::Decoder remain in the environment.
  • If immediate upgrade is impossible, temporarily restrict or sanitize incoming data processed by the decoder until a patch is applied.

Generated by OpenCVE AI on April 13, 2026 at 16:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Yves sereal\
Weaknesses CWE-787
CPEs cpe:2.3:a:yves:sereal\:\:decoder:*:*:*:*:*:perl:*:*
Vendors & Products Yves sereal\

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Title Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Yves
Yves sereal::decoder
Vendors & Products Yves
Yves sereal::decoder

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Title Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library
Weaknesses CWE-1395
References

Subscriptions

Yves Sereal::decoder Sereal\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-01T16:29:33.903Z

Reserved: 2026-03-28T19:49:07.023Z

Link: CVE-2024-14030

cve-icon Vulnrichment

Updated: 2026-03-31T14:17:35.906Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T12:16:26.153

Modified: 2026-04-13T14:07:54.600

Link: CVE-2024-14030

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:24Z

Weaknesses