Description
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library.

Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Published: 2026-03-31
Score: 8.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Arbitrary Code Execution
Action: Immediate Patch
AI Analysis

Impact

Sereal::Encoder, a Perl module, incorporates a version of the Zstandard library that has a race condition in its one-pass compression routine. Versions 4.000 through 4.009_002 are affected, and the flaw allows an attacker to write bytes out of bounds when the output buffer is smaller than recommended, leading to memory corruption and potentially arbitrary code execution (CWE-1395).

Affected Systems

The vulnerability impacts the Sereal::Encoder module released by YVES for Perl, affecting all releases from 4.000 up to and including 4.009_002.

Risk and Exploitability

The flaw carries a CVSS score of 8.1, marking it as high severity, yet its EPSS score is below 1%, indicating a low likelihood of current exploitation. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to supply crafted data to the vulnerable compression function, so the attack vector is inferred to be local or remote depending on how the module is used in an application. Upgrading to version 4.010 or later removes the embedded vulnerable Zstandard code and eliminates the risk.

Generated by OpenCVE AI on March 31, 2026 at 16:23 UTC.

Remediation

Vendor Solution

Upgrade to Sereal::Encoder version 4.010 or later.

OpenCVE Recommended Actions

  • Upgrade to Sereal::Encoder version 4.010 or later.

Generated by OpenCVE AI on March 31, 2026 at 16:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Yves
Yves sereal::encoder
Vendors & Products Yves
Yves sereal::encoder

Tue, 31 Mar 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 31 Mar 2026 11:45:00 +0000

Type Values Removed Values Added
Description Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Title Sereal::Encoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library
Weaknesses CWE-1395
References

Subscriptions

Yves Sereal::encoder
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-31T14:19:27.286Z

Reserved: 2026-03-29T15:12:06.674Z

Link: CVE-2024-14031

cve-icon Vulnrichment

Updated: 2026-03-31T14:09:59.495Z

cve-icon NVD

Status : Received

Published: 2026-03-31T12:16:26.310

Modified: 2026-03-31T15:16:09.100

Link: CVE-2024-14031

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:38:48Z

Weaknesses