CPANSA-YAML-Syck-2026-5089: YAML-Syck vulnerability
| Publisher | giterlizzi | Document category | csaf_security_advisory |
|---|---|---|---|
| Initial release date | 2026-05-12T00:00:00 | Engine | CSAF Perl Toolkit 0.26 |
| Current release date | 2026-05-12T00:00:00 | Build Date | |
| Current version | 1 | Status | final |
| CVSS v3.1 Base Score | 7.3 | Severity | |
| Original language | Language | en | |
| Also referred to | |||
Vulnerability Description
YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
Vulnerabilities
CVE-2026-5089
Vulnerability DescriptionYAML::Syck versions before 1.38 for Perl has an out-of-bounds read.
The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:
while ( colon >= ptr && *colon != ':' )
{
colon--;
}
if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here
When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
| Weakness | CWE-124 : Buffer Underwrite ('Buffer Underflow') |
|---|
Product status
Known affected
| Product | Score | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| YAML-Syck less than 1.38 |
|
Fixed
- YAML-Syck greater than or equal 1.38
giterlizzi
Namespace: https://github.com/giterlizzi/
gdt@cpan.org
References
- CPANSA-YAML-Syck-2026-5089 JSON self
https://raw.githubusercontent.com/giterlizzi/perl-CPANSA-CSAF/develop/csaf/white/2026/cpansa-yaml-syck-2026-5089.json - https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch external
https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch - https://github.com/cpan-authors/YAML-Syck/issues/132 external
https://github.com/cpan-authors/YAML-Syck/issues/132 - https://github.com/cpan-authors/YAML-Syck/pull/133 external
https://github.com/cpan-authors/YAML-Syck/pull/133 - https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes external
https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes - http://www.openwall.com/lists/oss-security/2026/05/12/16 external
http://www.openwall.com/lists/oss-security/2026/05/12/16 - https://github.com/cpan-authors/YAML-Syck/issues/132 external
https://github.com/cpan-authors/YAML-Syck/issues/132 - CVE-2026-5089 (NVD) external
https://nvd.nist.gov/vuln/detail/CVE-2026-5089
Revision history
| Version | Date of the revision | Summary of the revision |
|---|---|---|
| 1 | Tue May 12 00:00:00 2026 | First release |
Sharing rules
TLP:WHITE
For the TLP version see: https://www.first.org/tlp/