Severity by source
AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Input-driven crash with no config prerequisite; network-received YAML routinely reaches Load() in practice, so AV:N overrides the library-baseline AV:L; impact is availability-only.
Primary rating from Vendor (CPANSec).
CVSS VectorVendor: CPANSec
CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack.
In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it.
Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.
AnalysisAI
YAML::Syck before version 1.47 crashes the Perl interpreter when parsing a YAML document that redefines an anchor name, due to a use-after-free and double-free in the bundled libsyck C library. Any caller invoking Load() or LoadFile() on attacker-controlled YAML - a common pattern in Perl web frameworks and data-pipeline tooling - is exposed to a denial-of-service condition that aborts the interpreter process. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that the target process calls YAML::Syck's Load() or LoadFile() on attacker-controlled YAML input containing a redefined anchor name (e.g., any document where the same anchor label appears twice, such as '- &a' followed by '&a' within the same stream). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The NVD-assigned CVSS 3.1 score of 6.2 (AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) reflects a library-baseline local attack vector and availability-only impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker submits a crafted YAML payload - as short as seven bytes, containing a document that redefines an anchor name - to a web application or API endpoint that parses the request body using YAML::Syck's Load() function. The Perl interpreter aborts due to the double-free detected by the allocator, crashing the worker process and producing a denial of service. … |
| Remediation | Upgrade YAML::Syck to version 1.47 or later, available on CPAN at https://metacpan.org/release/TODDR/YAML-Syck-1.47/changes; this is the primary and recommended fix. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Uncaught Exception in GitHub repository eemeli/yaml prior to 2.0.0-5. Rated high severity (CVSS 7.5), this vulnerability
An issue in the Unmarshal function in Go-Yaml v3 causes the program to crash when attempting to deserialize invalid inpu
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64
A critical heap buffer overflow vulnerability exists in YAML::Syck through version 1.36 for Perl, allowing remote attack
Heap use-after-free in YAML::Syck for Perl before version 1.47 lets a crafted YAML document corrupt parser memory when i
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In t
Parsing malicious or large YAML documents can consume excessive amounts of CPU or memory. Rated high severity (CVSS 7.5)
Buffer underflow in YAML::Syck for Perl versions before 1.38 allows remote unauthenticated attackers to trigger out-of-b
Multiple format string vulnerabilities in the error reporting functionality in the YAML::LibYAML (aka YAML-LibYAML and p
Same weakness CWE-416 – Use After Free
View allSame technique Use After Free
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45052
GHSA-p3p9-6pr6-mr9m