YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter
Summary
| CVE | CVE-2026-4177 |
|---|---|
| State | PUBLISHED |
| Assigner | CPANSec |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-03-16 23:16:21 UTC |
| Updated | 2026-07-15 02:22:39 UTC |
| Description | YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return. |
Risk And Classification
Primary CVSS: v3.1 9.1 CRITICAL from ADP
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS: 0.004290000 probability, percentile 0.347460000 (date 2026-07-16)
Problem Types: CWE-122 | CWE-120 | CWE-122 CWE-122 Heap-based Buffer Overflow | CWE-120 Buffer Copy without Checking Size of Input ('Classic Buffer Overflow')
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | ADP | CVSS | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 9.1 | CRITICAL | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H |
| 3.1 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | Secondary | 7.3 | HIGH | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
CVSS v3.1 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
NVD Known Affected Configurations (CPE 2.3)
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | TODDR | YAMLSyck | affected 1.36 custom | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 7 Extended Lifecycle Support | unaffected 0:1.27-3.el7_9.1 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 8 | unaffected 0:1.30-6.el8_10 * rpm | Not specified |
| ADP | Red Hat | Red Hat Enterprise Linux 6 | Not specified | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes | 9b29abf9-4ab0-4765-b253-1875cd9b441e | metacpan.org | Release Notes |
| security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-4177.json | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | security.access.redhat.com | |
| access.redhat.com/errata/RHSA-2026:6470 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| www.openwall.com/lists/oss-security/2026/03/16/6 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | Mailing List, Third Party Advisory |
| access.redhat.com/errata/RHSA-2026:8311 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| access.redhat.com/security/cve/CVE-2026-4177 | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | access.redhat.com | |
| github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4... | 9b29abf9-4ab0-4765-b253-1875cd9b441e | github.com | Patch |
| bugzilla.redhat.com/show_bug.cgi | 0b0ca135-0b70-47e7-9f44-1890c2a1c46c | bugzilla.redhat.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Todd Rinaldo (en)
Additional Advisory Data
| Source | Time | Event |
|---|---|---|
| ADP | 2026-03-16T23:01:43.396Z | Reported to Red Hat. |
| ADP | 2026-03-16T22:30:25.367Z | Made public. |
Solutions
CNA: Upgrade to version 1.37 or higher.
ADP: RHSA-2026:8311: Red Hat Enterprise Linux Server Optional (v. 7 ELS)
ADP: RHSA-2026:6470: Red Hat Enterprise Linux CRB (v. 8)
Workarounds
ADP: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.