Skip to main content

Yaml CVE-2026-4177

| EUVDEUVD-2026-12523 CRITICAL
Heap-based Buffer Overflow (CWE-122)
2026-03-16 9b29abf9-4ab0-4765-b253-1875cd9b441e
9.1
CVSS 3.1 · Vendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e
Share

Severity by source

Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
SUSE
CRITICAL
qualitative
Red Hat
7.3 HIGH
qualitative

Primary rating from Vendor (9b29abf9-4ab0-4765-b253-1875cd9b441e).

CVSS VectorVendor: 9b29abf9-4ab0-4765-b253-1875cd9b441e

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
High

Lifecycle Timeline

3
EUVD ID Assigned
Mar 17, 2026 - 20:45 euvd
EUVD-2026-12523
Analysis Generated
Mar 17, 2026 - 20:45 vuln.today
CVE Published
Mar 16, 2026 - 23:16 nvd
CRITICAL 9.1

DescriptionCVE.org

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.

The heap overflow occurs when class names exceed the initial 512-byte allocation.

The base64 decoder could read past the buffer end on trailing newlines.

strtok mutated n->type_id in place, corrupting shared node data.

A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

AnalysisAI

A critical heap buffer overflow vulnerability exists in YAML::Syck through version 1.36 for Perl, allowing remote attackers to potentially execute arbitrary code or cause denial of service without authentication. The vulnerability stems from multiple memory corruption issues including heap overflow when processing YAML class names exceeding 512 bytes, buffer overread in base64 decoding, and memory leaks. With a CVSS score of 9.1 and network-based attack vector requiring no user interaction, this presents a severe risk to applications parsing untrusted YAML input.

Technical ContextAI

YAML::Syck is a Perl module providing a fast YAML 1.0 loader and dumper based on the libyaml library. The vulnerability manifests as a heap buffer overflow (CWE-122) in the YAML emitter component when processing class names that exceed the initially allocated 512-byte buffer. Additional memory safety issues include the base64 decoder reading past buffer boundaries on trailing newlines, strtok mutations corrupting shared node data structures, and memory leaks in anchor handling. These flaws affect the core parsing and emission logic used when processing YAML documents, making any Perl application using YAML::Syck vulnerable when handling untrusted input.

RemediationAI

Upgrade YAML::Syck to version 1.37_01 or later immediately, which includes the patch available at https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch. If immediate patching is not possible, implement strict input validation on all YAML data before processing, limit the size of YAML documents accepted, and consider running YAML processing in isolated environments with restricted permissions. Applications should also audit their use of YAML::Syck to identify all instances where untrusted input might be processed.

Vendor StatusVendor

SUSE

Severity: Critical
Product Status
SUSE Liberty Linux 8 Fixed
openSUSE Tumbleweed Fixed

Share

CVE-2026-4177 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy