Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Lifecycle Timeline
5DescriptionCVE.org
YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.
The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:
while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here
When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.
AnalysisAI
Buffer underflow in YAML::Syck for Perl versions before 1.38 allows remote unauthenticated attackers to trigger out-of-bounds memory reads when parsing specially crafted base60 (sexagesimal) YAML values. The vulnerability affects both integer and floating-point base60 handlers in perl_syck.h, where processing leftmost colon-separated segments causes a pointer to decrement past allocated buffer boundaries. EPSS exploitation probability is minimal (0.01%, 3rd percentile) with no active exploitation or public weaponized exploit identified. Vendor-released patch available in version 1.38, confirmed by CPANSec and upstream commit.
Technical ContextAI
YAML::Syck is a Perl binding for the Syck YAML parser library, implementing YAML 1.0 serialization. The vulnerability resides in the base60 (sexagesimal) number parsing logic within perl_syck.h, which handles YAML timestamps and duration values in colon-separated format (e.g., hours:minutes:seconds). The flaw occurs in both int#base60 and float#base60 type handlers when processing the leftmost segment of a value without colons. The condition 'while (colon >= ptr && *colon != ':')' allows the colon pointer to decrement to ptr-1 when no colon is found, then unconditionally dereferences this out-of-bounds pointer with '*colon == ':''. This represents CWE-124 (Buffer Underrun/'Buffer Underflow'), a memory safety issue where reading before the allocated buffer can expose adjacent memory contents or cause crashes. The affected CPE (cpe:2.3:a:toddr:yaml::syck) confirms this impacts the TODDR-maintained CPAN distribution of YAML::Syck.
RemediationAI
Upgrade YAML::Syck to version 1.38 or later immediately for all Perl installations processing YAML from untrusted sources. The fix is available through standard CPAN distribution channels using 'cpan YAML::Syck' or 'cpanm YAML::Syck' for cpanminus users. The patch commit (https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch) changes the boundary check from 'colon >= ptr' to 'colon > ptr' preventing pointer underflow, and adds explicit handling for the no-colon case. For environments unable to upgrade immediately, implement input validation to reject or sanitize YAML containing base60/sexagesimal notation (colon-separated numeric values) before passing to YAML::Syck. Specifically, block or escape patterns matching timestamp/duration formats like '1:30:45' or simple ratios like '59:59'. Note this workaround breaks legitimate base60 value parsing and may cause application compatibility issues with YAML documents using YAML 1.0 timestamp types. Alternatively, migrate to YAML::XS or YAML::PP parsers which use different codebases unaffected by this specific flaw, though migration requires testing for behavioral differences in YAML parsing semantics. Monitor https://github.com/cpan-authors/YAML-Syck/pull/133 and http://www.openwall.com/lists/oss-security/2026/05/12/16 for additional vendor guidance.
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5. Rated high severity (CVSS 7.5), this vulnerability
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid inpu
A critical heap buffer overflow vulnerability exists in YAML::Syck through version 1.36 for Perl, allowing remote attack
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. Rated high severity (CVSS 7.5)
Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and p
Same weakness CWE-124 – Buffer Underwrite ('Buffer Underflow')
View allSame technique Buffer Overflow
View allVendor StatusVendor
SUSE
Severity: HighShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-29543
GHSA-jcwf-qrr5-xwq3