Buffer Overwrite Vulnerability in Sereal::Decoder for Perl by Yuval
CVE-2024-14030

8.1HIGH

Key Information:

Vendor

Yves

Status
Sereal::decoder
Vendor
CVE Published:
31 March 2026

What is CVE-2024-14030?

Sereal::Decoder versions from 4.000 to 4.009_002 are impacted by a buffer overwrite vulnerability due to an embedded version of the Zstandard library, which contains a race condition in its one-pass compression functions. If unsuitable buffer sizes are used, this flaw could allow attackers to write outside the intended memory bounds, leading to potential data corruption or exploitation. Users are advised to update to the latest version to mitigate the risks associated with this vulnerability.

Affected Version(s)

Sereal::Decoder 4.000 <= 4.009_002

References

https://github.com/advisories/GHSA-w77f-wv46-4vcx
vendor-advisory
https://www.cve.org/CVERecord?id=CVE-2019-11922
vendor-advisory
https://metacpan.org/release/YVES/Sereal-Decoder-4.010/ch...
release-notes

CVSS V3.1

Score:
8.1
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.