CVE-2026-8796 - Vulnerability Details

Description

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.

In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).

Published: 2026-05-31

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Sereal::Decoder for Perl contains a heap out‑of‑bounds read vulnerability in its decoder logic. When processing a COPY tag, the decoder reinterprets a target byte as a new tag. If that byte matches a SHORT_BINARY pattern, the read is not bounded to the COPY tag’s own offset and can escape past the end of the input buffer. This flaw can cause up to 31 bytes after the COPY offset to be read as a class name or hash key, exposing arbitrary heap data. The weakness is classified as CWE‑125.

Affected Systems

Affected are all installations of the YVES Sereal::Decoder module using a version before 5.005. The fix is available in version 5.005 and later, which implements proper bounds checking before decoding the referenced tag. Only the YVES Sereal::Decoder product is listed; no other vendors are referenced.

Risk and Exploitability

No EPSS score is reported, and the vulnerability is not listed in CISA’s KEV catalog. While the precise CVSS score is not provided, the inherent nature of an unbounded read suggests a high severity. The likely attack vector is remote or local depending on who can supply the decoded input; an attacker who can control serialized data can trigger this read by crafting a COPY offset that points to a previously decoded value. Because this can expose sensitive information and may be used to facilitate further attacks, the risk is elevated.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

YVES

Sereal::Decoder

unaffected

Version	Status	Constraints
`0`	affected	< 5.005

No data.

Vendor Product Confidence Versions

Yves

Sereal::decoder

100%

Version	Status	Scheme	Platform
`[0,5.005)`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

Vendor Solution

Upgrade to Sereal::Decoder 5.005 or later.

OpenCVE Recommended Actions

Upgrade to Sereal::Decoder 5.005 or newer
Restrict usage of the decoder to trusted data sources and validate input sizes before processing
Implement monitoring for anomalous input patterns indicating a potential exploit

Generated by OpenCVE AI on May 31, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch
https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes

History

Sun, 31 May 2026 21:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Yves Yves sereal::decoder
Vendors & Products		Yves Yves sereal::decoder

Sun, 31 May 2026 20:15:00 +0000

Type	Values Removed	Values Added
Description		Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).
Title		Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input
Weaknesses		CWE-125
References		https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes

Subscriptions

Yves Sereal::decoder

MITRE

Status: PUBLISHED

Assigner: CPANSec

Published: 2026-05-31T19:43:22.054Z

Updated: 2026-05-31T19:43:22.054Z

Reserved: 2026-05-18T00:38:16.965Z

Link: CVE-2026-8796

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-31T20:16:30.813

Modified: 2026-05-31T20:16:30.813

Link: CVE-2026-8796

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-31T21:30:06Z

Weaknesses

CWE-125

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object