Heap Out-of-Bounds Read Vulnerability in Sereal::Decoder for Perl
CVE-2026-8796

Currently unrated

Key Information:

Vendor

Yves

Status
Sereal::decoder
Vendor
CVE Published:
31 May 2026

What is CVE-2026-8796?

The Sereal::Decoder library for Perl is susceptible to a vulnerability that allows attackers to exploit heap out-of-bounds reads through crafted input. This occurs in the processing of COPY tags, where the handling of the target byte can lead to unsafe reads beyond the intended bounds of the input buffer. Specifically, a malicious COPY offset can lead to reading into previously decoded values, causing the decoder to misinterpret a byte as a SHORT_BINARY tag and read additional bytes from the heap. This behavior can be triggered on versions prior to 5.005, posing a significant risk to applications utilizing affected versions of the Sereal::Decoder.

Affected Version(s)

Sereal::Decoder 0 < 5.005

References

https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf3...
patch
https://metacpan.org/release/YVES/Sereal-Decoder-5.005/ch...
release-notes

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.