Search criteria
3 vulnerabilities by yves
CVE-2026-8796 (GCVE-0-2026-8796)
Vulnerability from cvelistv5 – Published: 2026-05-31 19:43 – Updated: 2026-06-01 18:42
VLAI
Title
Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input
Summary
Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.
In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
- CWE-125 - Out-of-bounds Read
Assigner
References
3 references
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| YVES | Sereal::Decoder |
Affected:
0 , < 5.005
(custom)
|
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-06-01T07:44:02.734Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/06/01/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2026-8796",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-06-01T18:42:19.702527Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-06-01T18:42:31.783Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Decoder",
"product": "Sereal::Decoder",
"programFiles": [
"Perl/Decoder/srl_decoder.c"
],
"programRoutines": [
{
"name": "srl_read_object()"
},
{
"name": "srl_read_hash()"
}
],
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThan": "5.005",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.\n\nIn Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag\u0027s own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path)."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-125",
"description": "CWE-125 Out-of-bounds Read",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-31T19:43:22.054Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Decoder 5.005 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2026-05-13T00:00:00.000Z",
"value": "Issue reported."
},
{
"lang": "en",
"time": "2026-05-19T00:00:00.000Z",
"value": "Fix released in Sereal::Decoder 5.005."
},
{
"lang": "en",
"time": "2026-05-20T00:00:00.000Z",
"value": "Fix verified against proofs of concept."
}
],
"title": "Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2026-8796",
"datePublished": "2026-05-31T19:43:22.054Z",
"dateReserved": "2026-05-18T00:38:16.965Z",
"dateUpdated": "2026-06-01T18:42:31.783Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-14031 (GCVE-0-2024-14031)
Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:30
VLAI
Title
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library
Summary
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.
Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/advisories/GHSA-w77f-wv46-4vcx | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2019-11922 | vendor-advisory |
| https://metacpan.org/release/YVES/Sereal-Encoder-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| YVES | Sereal::Encoder |
Affected:
4.000 , ≤ 4.009_002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14031",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:19:21.141997Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:19:27.286Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Encoder",
"product": "Sereal::Encoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:30:00.649Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Encoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Encoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Encoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Encoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14031",
"datePublished": "2026-03-31T11:31:28.100Z",
"dateReserved": "2026-03-29T15:12:06.674Z",
"dateUpdated": "2026-04-01T16:30:00.649Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2024-14030 (GCVE-0-2024-14030)
Vulnerability from cvelistv5 – Published: 2026-03-31 11:31 – Updated: 2026-04-01 16:29
VLAI
Title
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library
Summary
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.
Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Severity
8.1 (High)
SSVC
Exploitation: none
Automatable: no
Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
- CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/advisories/GHSA-w77f-wv46-4vcx | vendor-advisory |
| https://www.cve.org/CVERecord?id=CVE-2019-11922 | vendor-advisory |
| https://metacpan.org/release/YVES/Sereal-Decoder-… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| YVES | Sereal::Decoder |
Affected:
4.000 , ≤ 4.009_002
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.1,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-14030",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T14:18:18.323057Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T14:18:55.221Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Sereal-Decoder",
"product": "Sereal::Decoder",
"repo": "https://github.com/Sereal/Sereal",
"vendor": "YVES",
"versions": [
{
"lessThanOrEqual": "4.009_002",
"status": "affected",
"version": "4.000",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library.\n\nSereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:29:33.903Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://github.com/advisories/GHSA-w77f-wv46-4vcx"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://www.cve.org/CVERecord?id=CVE-2019-11922"
},
{
"tags": [
"release-notes"
],
"url": "https://metacpan.org/release/YVES/Sereal-Decoder-4.010/changes"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to Sereal::Decoder version 4.010 or later."
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-02-06T00:00:00.000Z",
"value": "Sereal::Decoder version 4.001_001 released."
},
{
"lang": "en",
"time": "2018-12-27T00:00:00.000Z",
"value": "Zstandard 1.3.8 released."
},
{
"lang": "en",
"time": "2019-07-25T00:00:00.000Z",
"value": "CVE-2019-11922 for Zstandard published"
},
{
"lang": "en",
"time": "2020-02-04T00:00:00.000Z",
"value": "Sereal::Decoder version 4.010 released."
},
{
"lang": "en",
"time": "2023-02-09T00:00:00.000Z",
"value": "Advisory added to the CPANSA database."
},
{
"lang": "en",
"time": "2024-02-17T00:00:00.000Z",
"value": "Advisory updated in the CPANSA database."
}
],
"title": "Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library",
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2024-14030",
"datePublished": "2026-03-31T11:31:08.541Z",
"dateReserved": "2026-03-28T19:49:07.023Z",
"dateUpdated": "2026-04-01T16:29:33.903Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}