Refine your search
2 vulnerabilities found for Sereal::Decoder by YVES
CVE-2026-8796 (GCVE-0-2026-8796)
Vulnerability from cvelistv5
Published
2026-05-31 19:43
Modified
2026-06-01 18:42
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-125 - Out-of-bounds Read
Summary
Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.
In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YVES | Sereal::Decoder |
Version: 0 < 5.005 |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-01T07:44:02.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:42:19.702527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:42:31.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Decoder",
"product": "Sereal::Decoder",
"programFiles": [
"Perl/Decoder/srl_decoder.c"
],
"programRoutines": [
{
"name": "srl_read_object()"
},
{
"name": "srl_read_hash()"
}
],
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThan": "5.005",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.\n\nIn Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag\u0027s own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-31T19:43:22.054Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Decoder 5.005 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "Fix released in Sereal::Decoder 5.005."
},
{
"lang": "en",
"time": "2026-05-20T00:00:00.000Z",
"value": "Fix verified against proofs of concept."
}
],
"title": "Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8796",
"datePublished": "2026-05-31T19:43:22.054Z",
"dateReserved": "2026-05-18T00:38:16.965Z",
"dateUpdated": "2026-06-01T18:42:31.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-14030 (GCVE-0-2024-14030)
Vulnerability from cvelistv5
Published
2026-03-31 11:31
Modified
2026-04-01 16:29
Severity ?
VLAI Severity ?
EPSS score ?
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Summary
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.
Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| YVES | Sereal::Decoder |
Version: 4.000 < |
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:18:18.323057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:18:55.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Decoder",
"product": "Sereal::Decoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:29:33.903Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Decoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Decoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Decoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14030",
"datePublished": "2026-03-31T11:31:08.541Z",
"dateReserved": "2026-03-28T19:49:07.023Z",
"dateUpdated": "2026-04-01T16:29:33.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}