{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-4177","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-03-14T19:36:56.710Z","datePublished":"2026-03-16T22:30:25.367Z","dateUpdated":"2026-03-17T14:04:53.600Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"YAML-Syck","product":"YAML::Syck","programFiles":["emitter.c","handler.c","perl_common.h","perl_syck.h"],"programRoutines":[{"name":"YAML::Syck::yaml_syck_emitter_handler()"},{"name":"YAML::Syck::syck_base64dec()"},{"name":"YAML::Syck::yaml_syck_parser_handler()"},{"name":"YAML::Syck::syck_hdlr_add_anchor()"}],"repo":"https://github.com/cpan-authors/YAML-Syck","vendor":"TODDR","versions":[{"lessThanOrEqual":"1.36","status":"affected","version":"0","versionType":"custom"}]}],"credits":[{"lang":"en","type":"finder","value":"Todd Rinaldo"}],"descriptions":[{"lang":"en","value":"YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n->type_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-122","description":"CWE-122 Heap-based Buffer Overflow","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-03-16T22:30:25.367Z"},"references":[{"tags":["patch"],"url":"https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch"},{"tags":["release-notes"],"url":"https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21"}],"solutions":[{"lang":"en","value":"Upgrade to version 1.37 or higher."}],"source":{"discovery":"UNKNOWN"},"title":"YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter","x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/03/16/6"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-03-17T01:34:04.213Z"}},{"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":9.1,"attackVector":"NETWORK","baseSeverity":"CRITICAL","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H","integrityImpact":"NONE","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"HIGH","privilegesRequired":"NONE","confidentialityImpact":"HIGH"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-03-17T14:04:29.127464Z","id":"CVE-2026-4177","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-03-17T14:04:53.600Z"}}]}}