{ "affected": [ { "ranges": [ { "database_specific": { "versions": [ { "introduced": "0" }, { "last_affected": "1.36" } ] }, "events": [ { "introduced": "0" }, { "last_affected": "5240a54e6afb0bdabbaf11714475dd9b3d8f16fa" } ], "repo": "https://github.com/cpan-authors/YAML-Syck", "type": "GIT" }, { "events": [ { "introduced": "0" }, { "fixed": "e8844a31c8cf0052914b198fc784ed4e6b8ae69e" } ], "repo": "https://github.com/cpan-authors/yaml-syck", "type": "GIT" } ] } ], "details": "YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n-\u003etype_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.", "id": "CVE-2026-4177", "modified": "2026-04-01T23:08:13.996223731Z", "published": "2026-03-16T23:16:21.543Z", "references": [ { "type": "WEB", "url": "https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21" }, { "type": "WEB", "url": "http://www.openwall.com/lists/oss-security/2026/03/16/6" }, { "type": "FIX", "url": "https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch" } ], "severity": [ { "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "type": "CVSS_V3" } ] }