Description
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.

The heap overflow occurs when class names exceed the initial 512-byte allocation.

The base64 decoder could read past the buffer end on trailing newlines.

strtok mutated n->type_id in place, corrupting shared node data.

A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.
Published: 2026-03-16
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Heap Buffer Overflow
Action: Patch Immediately
AI Analysis

Impact

YAML::Syck versions up to 1.36 for Perl contain a notably severe heap buffer overflow in the YAML emitter that is triggered when class names exceed a 512‑byte allocation. The overflow can corrupt adjacent memory blocks and potentially lead to unintended code execution or program termination. Additional weaknesses include a base64 decoder overread on trailing newlines, a mutating token that corrupts shared node data, and a memory leak when adding anchors. These vulnerabilities are consistent with the CWE‑120 and CWE‑122 categories, which describe heap-based buffer overflows and incorrect bounds checking.

Affected Systems

The affected component is the Perl module YAML::Syck, distributed by the TODDR vendor. Any Perl application that loads this module—whether a web service, a command‑line tool, or any process that parses YAML files—is at risk. The problem exists in all releases through version 1.36. Upgrading to version 1.37 or later removes the known defects, because the vendor has fixed the allocation and bounds checks that were responsible for the overflow.

Risk and Exploitability

The CVSS score of 9.1 indicates high severity, but the EPSS score is reported as less than 1%, which suggests that active exploitation is currently rare and the vulnerability is not listed in the CISA KEV catalog. The exact attack vector is not explicitly detailed in the advisory; based on the description it is inferred that an attacker would need to supply malformed or malicious YAML input to the vulnerable module, such as via network traffic, file uploads, or other data feeds that are parsed by the application. Because the vulnerability requires untrusted YAML data, the risk is mitigated if an application validates or sanitizes input, but if such controls are absent the potential for arbitrary code execution remains high. Overall, the combination of high impact and the possibility of remote exploitation makes patching a priority.

Generated by OpenCVE AI on March 23, 2026 at 20:30 UTC.

Remediation

Vendor Solution

Upgrade to version 1.37 or higher.

OpenCVE Recommended Actions

  • Upgrade Perl module YAML::Syck to version 1.37 or newer
  • Confirm that Perl applications now load the updated module version
  • Restart affected services to ensure the updated module is in use

Generated by OpenCVE AI on March 23, 2026 at 20:30 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-6175-1 libyaml-syck-perl security update
History

Mon, 23 Mar 2026 18:30:00 +0000

Type Values Removed Values Added
First Time appeared Toddr yaml\
CPEs cpe:2.3:a:toddr:yaml\:\:syck:*:*:*:*:*:perl:*:*
Vendors & Products Toddr yaml\

Tue, 17 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H'}

Tue, 17 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-120
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

threat_severity

Important

Tue, 17 Mar 2026 10:00:00 +0000

Type Values Removed Values Added
First Time appeared Toddr
Toddr yaml::syck
Vendors & Products Toddr
Toddr yaml::syck

Tue, 17 Mar 2026 02:30:00 +0000

Type Values Removed Values Added
References

Mon, 16 Mar 2026 22:45:00 +0000

Type Values Removed Values Added
Description YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.
Title YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter
Weaknesses CWE-122
References

Subscriptions

Toddr Yaml::syck Yaml\
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-03-17T14:04:53.600Z

Reserved: 2026-03-14T19:36:56.710Z

Link: CVE-2026-4177

cve-icon Vulnrichment

Updated: 2026-03-17T01:34:04.213Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-16T23:16:21.543

Modified: 2026-03-23T18:17:31.370

Link: CVE-2026-4177

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-16T22:30:25Z

Links: CVE-2026-4177 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:44Z

Weaknesses