Skip to main content

YAML::Syck CVE-2026-5089

| EUVDEUVD-2026-29543 HIGH
Buffer Underwrite ('Buffer Underflow') (CWE-124)
2026-05-12 CPANSec GHSA-jcwf-qrr5-xwq3
7.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.3 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
SUSE
HIGH
qualitative
Red Hat
4.0 MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

5
Source Code Evidence Fetched
May 14, 2026 - 15:23 vuln.today
Analysis Generated
May 14, 2026 - 15:23 vuln.today
CVSS changed
May 14, 2026 - 15:22 NVD
7.3 (HIGH)
CVE Published
May 12, 2026 - 16:14 nvd
HIGH 7.3
CVE Published
May 12, 2026 - 16:14 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.

The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:

while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here

When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

AnalysisAI

Buffer underflow in YAML::Syck for Perl versions before 1.38 allows remote unauthenticated attackers to trigger out-of-bounds memory reads when parsing specially crafted base60 (sexagesimal) YAML values. The vulnerability affects both integer and floating-point base60 handlers in perl_syck.h, where processing leftmost colon-separated segments causes a pointer to decrement past allocated buffer boundaries. EPSS exploitation probability is minimal (0.01%, 3rd percentile) with no active exploitation or public weaponized exploit identified. Vendor-released patch available in version 1.38, confirmed by CPANSec and upstream commit.

Technical ContextAI

YAML::Syck is a Perl binding for the Syck YAML parser library, implementing YAML 1.0 serialization. The vulnerability resides in the base60 (sexagesimal) number parsing logic within perl_syck.h, which handles YAML timestamps and duration values in colon-separated format (e.g., hours:minutes:seconds). The flaw occurs in both int#base60 and float#base60 type handlers when processing the leftmost segment of a value without colons. The condition 'while (colon >= ptr && *colon != ':')' allows the colon pointer to decrement to ptr-1 when no colon is found, then unconditionally dereferences this out-of-bounds pointer with '*colon == ':''. This represents CWE-124 (Buffer Underrun/'Buffer Underflow'), a memory safety issue where reading before the allocated buffer can expose adjacent memory contents or cause crashes. The affected CPE (cpe:2.3:a:toddr:yaml::syck) confirms this impacts the TODDR-maintained CPAN distribution of YAML::Syck.

RemediationAI

Upgrade YAML::Syck to version 1.38 or later immediately for all Perl installations processing YAML from untrusted sources. The fix is available through standard CPAN distribution channels using 'cpan YAML::Syck' or 'cpanm YAML::Syck' for cpanminus users. The patch commit (https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch) changes the boundary check from 'colon >= ptr' to 'colon > ptr' preventing pointer underflow, and adds explicit handling for the no-colon case. For environments unable to upgrade immediately, implement input validation to reject or sanitize YAML containing base60/sexagesimal notation (colon-separated numeric values) before passing to YAML::Syck. Specifically, block or escape patterns matching timestamp/duration formats like '1:30:45' or simple ratios like '59:59'. Note this workaround breaks legitimate base60 value parsing and may cause application compatibility issues with YAML documents using YAML 1.0 timestamp types. Alternatively, migrate to YAML::XS or YAML::PP parsers which use different codebases unaffected by this specific flaw, though migration requires testing for behavioral differences in YAML parsing semantics. Monitor https://github.com/cpan-authors/YAML-Syck/pull/133 and http://www.openwall.com/lists/oss-security/2026/05/12/16 for additional vendor guidance.

Vendor StatusVendor

SUSE

Severity: High

Share

CVE-2026-5089 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy