{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-5089","assignerOrgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","state":"PUBLISHED","assignerShortName":"CPANSec","dateReserved":"2026-03-28T19:33:37.653Z","datePublished":"2026-05-12T16:14:21.951Z","dateUpdated":"2026-05-14T13:51:01.952Z"},"containers":{"cna":{"affected":[{"collectionURL":"https://cpan.org/modules","defaultStatus":"unaffected","packageName":"YAML-Syck","product":"YAML::Syck","programFiles":["perl_syck.h"],"repo":"https://github.com/toddr/YAML-Syck","vendor":"TODDR","versions":[{"lessThan":"1.38","status":"affected","version":"0","versionType":"custom"}]}],"descriptions":[{"lang":"en","value":"YAML::Syck versions before 1.38 for Perl  has an out-of-bounds read.\n\nThe base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:\n\n    while ( colon >= ptr && *colon != ':' )\n    {\n        colon--;\n    }\n    if ( *colon == ':' ) *colon = '\\0';  // colon may be ptr-1 here\n\nWhen no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer."}],"problemTypes":[{"descriptions":[{"cweId":"CWE-124","description":"CWE-124 Buffer Underwrite ('Buffer Underflow')","lang":"en","type":"CWE"}]}],"providerMetadata":{"orgId":"9b29abf9-4ab0-4765-b253-1875cd9b441e","shortName":"CPANSec","dateUpdated":"2026-05-12T16:14:21.951Z"},"references":[{"tags":["release-notes"],"url":"https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes"},{"tags":["issue-tracking"],"url":"https://github.com/cpan-authors/YAML-Syck/issues/132"},{"tags":["issue-tracking"],"url":"https://github.com/cpan-authors/YAML-Syck/pull/133"},{"tags":["patch"],"url":"https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch"}],"solutions":[{"lang":"en","value":"Upgrade to YAML::Syck version 1.38 or later."}],"source":{"discovery":"UNKNOWN"},"title":"YAML::Syck versions before 1.38 for Perl has an out-of-bounds read","x_generator":{"engine":"cpansec-cna-tool 0.1"}},"adp":[{"title":"CVE Program Container","references":[{"url":"http://www.openwall.com/lists/oss-security/2026/05/12/16"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-05-12T18:35:46.042Z"}},{"references":[{"url":"https://github.com/cpan-authors/YAML-Syck/issues/132","tags":["exploit"]}],"metrics":[{"cvssV3_1":{"scope":"UNCHANGED","version":"3.1","baseScore":7.3,"attackVector":"NETWORK","baseSeverity":"HIGH","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L","integrityImpact":"LOW","userInteraction":"NONE","attackComplexity":"LOW","availabilityImpact":"LOW","privilegesRequired":"NONE","confidentialityImpact":"LOW"}},{"other":{"type":"ssvc","content":{"timestamp":"2026-05-14T13:50:53.123874Z","id":"CVE-2026-5089","options":[{"Exploitation":"poc"},{"Automatable":"yes"},{"Technical Impact":"partial"}],"role":"CISA Coordinator","version":"2.0.3"}}}],"title":"CISA ADP Vulnrichment","providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-05-14T13:51:01.952Z"}}]}}