Description
YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.

The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:

while ( colon >= ptr && *colon != ':' )
{
colon--;
}
if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here

When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
Published: 2026-05-12
Score: 7.3 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The YAML::Syck library for Perl contains a buffer underflow bug in the base60 parsing code used for both integer and float handlers. During parsing of colon-separated values, an inner loop can decrement a pointer past the beginning of the input string buffer for the leftmost segment, leading to a read one byte before the allocated memory. While the description does not explicitly state that the read can be used for data leakage, it is inferred that this out‑of‐bounds read could potentially expose adjacent memory contents, thereby creating a risk of information disclosure.

Affected Systems

The vulnerability affects the TODDR YAML::Syck package on CPAN. Any installation of this library with a version prior to 1.38 is susceptible. Versions 1.38 and later include the fix, so updating to a current release restores safe operation. Any Perl application that deserializes YAML data and relies on this module can be impacted.

Risk and Exploitability

The CVSS score of 7.3 reflects a high severity for this out‑of‑bounds read. The EPSS score of <1% indicates a very low likelihood of exploitation in the near term. The flaw is not listed in CISA’s KEV catalog, meaning that no publicly documented exploits exist at this time. Potential exploitation would require an attacker to supply crafted YAML input that triggers the parsing of an incomplete colon‑separated value, which may be feasible in many untrusted data scenarios.

Generated by OpenCVE AI on May 25, 2026 at 13:51 UTC.

Remediation

Vendor Solution

Upgrade to YAML::Syck version 1.38 or later.

OpenCVE Recommended Actions

  • Upgrade the YAML::Syck package to version 1.38 or newer.
  • Apply the official patch from the 208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005 commit if a full release is not yet available.
  • Add input validation to reject malformed base60 segments before they are processed by the parser.

Generated by OpenCVE AI on May 25, 2026 at 13:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 25 May 2026 12:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-125
References
Metrics threat_severity

None

 threat_severity

Moderate

Thu, 14 May 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 19:30:00 +0000

Type Values Removed Values Added
References

Tue, 12 May 2026 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Toddr
Toddr yaml::syck
Vendors & Products Toddr
Toddr yaml::syck

Tue, 12 May 2026 16:45:00 +0000

Type Values Removed Values Added
Description YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
Title YAML::Syck versions before 1.38 for Perl has an out-of-bounds read
Weaknesses CWE-124
References

Subscriptions

Toddr Yaml::syck
cve-icon MITRE

Status: PUBLISHED

Assigner: CPANSec

Published:

Updated: 2026-05-14T13:51:01.952Z

Reserved: 2026-03-28T19:33:37.653Z

Link: CVE-2026-5089

cve-icon Vulnrichment

Updated: 2026-05-12T18:35:46.042Z

cve-icon NVD

Status : Deferred

Published: 2026-05-12T17:16:21.720

Modified: 2026-05-14T15:16:49.377

Link: CVE-2026-5089

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-05-12T16:14:21Z

Links: CVE-2026-5089 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-05-25T14:00:17Z

Weaknesses
  • CWE-124

    Buffer Underwrite ('Buffer Underflow')

  • CWE-125

    Out-of-bounds Read