{"id":"CVE-2026-4177","details":"YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n-\u003etype_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.","modified":"2026-04-07T12:59:25.374643231Z","published":"2026-03-16T23:16:21.543Z","related":["ALSA-2026:6470","MGASA-2026-0058"],"references":[{"type":"WEB","url":"https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/03/16/6"},{"type":"FIX","url":"https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/cpan-authors/YAML-Syck","events":[{"introduced":"0"},{"last_affected":"5240a54e6afb0bdabbaf11714475dd9b3d8f16fa"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"1.36"}]}},{"type":"GIT","repo":"https://github.com/cpan-authors/yaml-syck","events":[{"introduced":"0"},{"fixed":"e8844a31c8cf0052914b198fc784ed4e6b8ae69e"}]}],"versions":["0.01","0.02","0.03","0.04","0.05","0.06","0.07","0.08","0.09","0.10","0.11","0.12","0.13","0.14","0.15","0.16","0.17","0.18","0.19","0.20","0.21","0.22","0.23","0.24","0.25","0.26","0.27","0.28","0.29","0.30","0.31","0.32","0.33","0.34","0.35","0.36","0.37","0.38","0.40","0.41","0.42","0.43","0.44","0.45","0.46_01","0.60","0.61","0.62","0.63","0.64","0.65","0.66","0.67","0.70","0.71","0.72","0.80","0.81","0.82","0.84","0.85","0.86","0.87","0.88","0.90","0.91","0.94","0.95","0.96","0.97","0.98","0.99","1.00","1.01","1.02","1.03","1.04","1.05","1.07","1.07_01","1.08","1.08_01","1.09","1.10","1.10_01","1.10_02","1.10_03","1.10_04","1.10_05","1.10_06","1.10_07","1.11","1.12","1.13","1.14","1.15","1.20","1.20_01","1.21_01","1.22","1.23","1.24_01","1.24_02","1.26","1.27","1.28","1.28_01","1.29","1.29_01","1.30","1.30_01","1.31","1.32","1.33","1.34","1.35","1.36","v1.28","v1.28_01","v1.29","v1.29_01","v1.30","v1.30_01","v1.31","v1.32","v1.33","v1.34","v1.35","v1.36"],"database_specific":{"vanir_signatures":[{"digest":{"threshold":0.9,"line_hashes":["77432070393602274084319312092171722556","228519751324146396573491506049228976126","154536580181278842721145157445093920626","281020779656150658262249392514651417441","81728902840756788118905029053104202032","153003392612639039015053362034188033819","334631939631766423336734575337914917658","133100325735030255892343501943521502296","339174795400585444649796179962817804962","31789045887475014360843847391442223606","51001931758672355991811202304213614764","179899152435135582631091853447362899637","175612020642637730266919599113400769411","176546919502424447928270098115248147252","292773081412494421832397044995159553985","94892346009481639743752446327664704060","157277863811005946263721187543226204930","31740606604468657816113425172092413499","86117790119277078518611574546101780666","179002801979341714673590596934916612451","190351232275168255583661559077224484034","131771852853636988406400712239382851492","312440778188375508293320343920751194786","175612020642637730266919599113400769411","305533996975702134318151534528370962419","305407463024304548130196606906410878762","56552629763519694068481929377640270020","74289387116037242937454469926291749203","166673087033210021482412079509103938487","70294741768864957187652077674035642872","155320782087496261936204309101341337970","242410599771186735230291531280240744557","175612020642637730266919599113400769411","305533996975702134318151534528370962419","108587633537507210242609878158511307392","74289387116037242937454469926291749203","166673087033210021482412079509103938487","239615710981798649689491041664128727572","220252604381542367242518316090293440354","242410599771186735230291531280240744557","175612020642637730266919599113400769411","305533996975702134318151534528370962419","108587633537507210242609878158511307392","110186862434276355389297313413696652206","31740606604468657816113425172092413499","86117790119277078518611574546101780666","248865246021370009199894230246925559977","146458202819675809074786056711614089930","305533996975702134318151534528370962419","305407463024304548130196606906410878762","4544111393618610573014631413676193190","194231714249816697885080011234107511497","27706849843802477482450086900044463075","318869707553593275920904519158553963108","136740233827061972712606801456794118327","311742849458327083898191164419147524220","136804269244426881888406030498841789687","328727094075969773062974969628149937118","329358049501924543218608842209070831188"]},"id":"CVE-2026-4177-1bbae7f4","deprecated":false,"target":{"file":"perl_syck.h"},"source":"https://github.com/cpan-authors/yaml-syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e","signature_type":"Line","signature_version":"v1"},{"digest":{"length":696,"function_hash":"308161429414908809509867125072997107129"},"id":"CVE-2026-4177-35d49f60","deprecated":false,"target":{"function":"syck_hdlr_add_anchor","file":"handler.c"},"source":"https://github.com/cpan-authors/yaml-syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["231937876541842789239375401667433462873","129420755963115915221785477498309603873","176193032504998138318987319753267044730","213270275091235657992546325276940841560"]},"id":"CVE-2026-4177-4274d603","target":{"file":"emitter.c"},"deprecated":false,"source":"https://github.com/cpan-authors/yaml-syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e","signature_type":"Line","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["181826821038736698477181572770467706333","155287332502159456004898518776951013462","24506876343145275255685998533543497653"]},"id":"CVE-2026-4177-79bf6a35","deprecated":false,"target":{"file":"handler.c"},"source":"https://github.com/cpan-authors/yaml-syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e","signature_type":"Line","signature_version":"v1"},{"digest":{"length":1181,"function_hash":"69308971524928998491421263821576580717"},"id":"CVE-2026-4177-973e9ebd","deprecated":false,"target":{"function":"syck_base64dec","file":"emitter.c"},"source":"https://github.com/cpan-authors/yaml-syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e","signature_type":"Function","signature_version":"v1"},{"digest":{"threshold":0.9,"line_hashes":["194441660789118097218422126307646736413","323491088317270314574321123694229931738","327707381181017904236718626478281173788","336915445678887540611159608587695440290"]},"id":"CVE-2026-4177-9e81eadc","target":{"file":"perl_common.h"},"deprecated":false,"source":"https://github.com/cpan-authors/yaml-syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e","signature_type":"Line","signature_version":"v1"}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-4177.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"}]}