Skip to main content

YAML::Syck EUVDEUVD-2026-45052

| CVE-2026-13713 MEDIUM
Use After Free (CWE-416)
2026-07-16 CPANSec GHSA-p3p9-6pr6-mr9m
6.2
CVSS 3.1 · Vendor: CPANSec
Share

Severity by source

Vendor (CPANSec) PRIMARY
6.2 MEDIUM
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
vuln.today AI
7.5 HIGH

Input-driven crash with no config prerequisite; network-received YAML routinely reaches Load() in practice, so AV:N overrides the library-baseline AV:L; impact is availability-only.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (CPANSec).

CVSS VectorVendor: CPANSec

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

4
Source Code Evidence Fetched
Jul 17, 2026 - 14:25 vuln.today
Analysis Generated
Jul 17, 2026 - 14:25 vuln.today
CVSS changed
Jul 17, 2026 - 14:22 NVD
6.2 (MEDIUM)
CVE Published
Jul 16, 2026 - 21:35 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack.

In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it.

Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.

AnalysisAI

YAML::Syck before version 1.47 crashes the Perl interpreter when parsing a YAML document that redefines an anchor name, due to a use-after-free and double-free in the bundled libsyck C library. Any caller invoking Load() or LoadFile() on attacker-controlled YAML - a common pattern in Perl web frameworks and data-pipeline tooling - is exposed to a denial-of-service condition that aborts the interpreter process. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify Perl service parsing user-supplied YAML
Delivery
Craft document redefining anchor name (7 bytes minimum)
Exploit
Submit payload via application input channel
Install
libsyck frees anchor node while it remains on value stack
C2
syck_hdlr_add_node triggers double-free of same 48-byte chunk
Execute
Allocator detects corruption and aborts Perl interpreter
Impact
Service process crashes (DoS)

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target process calls YAML::Syck's Load() or LoadFile() on attacker-controlled YAML input containing a redefined anchor name (e.g., any document where the same anchor label appears twice, such as '- &a' followed by '&a' within the same stream). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The NVD-assigned CVSS 3.1 score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a library-baseline local attack vector and availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker submits a crafted YAML payload - as short as seven bytes, containing a document that redefines an anchor name - to a web application or API endpoint that parses the request body using YAML::Syck's Load() function. The Perl interpreter aborts due to the double-free detected by the allocator, crashing the worker process and producing a denial of service. …
Remediation Upgrade YAML::Syck to version 1.47 or later, available on CPAN at https://metacpan.org/release/TODDR/YAML-Syck-1.47/changes; this is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45052 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy