Out-of-Bounds Read Vulnerability in YAML::Syck for Perl
CVE-2026-5089

Currently unrated

Key Information:

Vendor

Toddr

Status
Yaml::syck
Vendor
CVE Published:
12 May 2026

What is CVE-2026-5089?

An out-of-bounds read issue exists in YAML::Syck versions prior to 1.38 for Perl. This vulnerability stems from a buffer underflow in the parsing code handling base60 format. During the parsing of colon-separated values, the code can erroneously decrement a pointer past the start of the string buffer. This occurs when the leftmost segment of the value doesn't contain a colon, leading to a potential dereference of an unallocated memory byte. Such vulnerabilities can be exploited to cause unexpected behavior or data exposure.

Affected Version(s)

YAML::Syck 0 < 1.38

References

https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes
release-notes
https://github.com/cpan-authors/YAML-Syck/issues/132
issue-tracking
https://github.com/cpan-authors/YAML-Syck/pull/133
issue-tracking

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.