Description
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.

Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Memory corruption leading to potential code execution
Action: Apply Patch
AI Analysis

Impact

The vulnerability is a race condition in the one‑pass compression functions of the Zstandard library embedded within Sereal::Encoder versions 4.000 through 4.009_002. The defect permits an attacker to trigger an out‑of‑bounds write when the compression routine writes to an output buffer that is smaller than the recommended size. This corruption can overwrite adjacent memory, potentially enabling arbitrary code execution. The weakness corresponds to an out‑of‑bounds write (CWE‑787) coupled with a race condition (CWE‑1395).

Affected Systems

The affected product is Sereal::Encoder for Perl, provided by the YVES vendor. All releases from version 4.000 up to and including 4.009_002 contain the vulnerable Zstandard implementation. Versions 4.010 and later incorporate the fixed library and are not affected.

Risk and Exploitability

The CVSS base score of 8.1 marks this flaw as high severity. The EPSS score indicates that the probability of exploitation in the wild is below 1 %, and it is not currently listed in CISA’s KEV catalog. Because the weakness lies in compression logic, an attacker must be able to invoke the Zstandard compression functions, which typically requires sending crafted data to an application that uses Sereal::Encoder. This suggests a local or application‑level attack vector, and no evidence of a publicly available exploit is known.

Generated by OpenCVE AI on April 13, 2026 at 14:42 UTC.

Remediation

Vendor Solution

Upgrade to Sereal::Encoder version 4.010 or later.

OpenCVE Recommended Actions

  • Upgrade Sereal::Encoder to version 4.010 or later.
  • Verify that the application rebuilds Sereal::Encoder with the updated library.

Generated by OpenCVE AI on April 13, 2026 at 14:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 13 Apr 2026 13:00:00 +0000

Type Values Removed Values Added
First Time appeared Yves sereal\
Weaknesses CWE-787
CPEs cpe:2.3:a:yves:sereal\:\:encoder:*:*:*:*:*:perl:*:*
Vendors & Products Yves sereal\

Wed, 01 Apr 2026 23:45:00 +0000

Type Values Removed Values Added
Description Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used. Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Title Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Yves
Yves sereal::encoder
Vendors & Products Yves
Yves sereal::encoder

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Title Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library
Weaknesses CWE-1395
References

Subscriptions

Yves Sereal::encoder Sereal\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-04-01T16:30:00.649Z

Reserved: 2026-03-29T15:12:06.674Z

Link: CVE-2024-14031

cve-icon Vulnrichment

Updated: 2026-03-31T14:09:59.495Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-31T12:16:26.310

Modified: 2026-04-13T12:53:12.687

Link: CVE-2024-14031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-14T16:42:23Z

Weaknesses