CVE-2026-8796: CWE-125 Out-of-bounds Read in YVES Sereal::Decoder
Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).
AI Analysis
Technical Summary
The vulnerability in Sereal::Decoder occurs in the srl_read_object() and srl_read_hash() functions when handling a COPY tag. The decoder re-decodes a back-reference target byte as a fresh tag, and if this byte matches the SHORT_BINARY pattern, the read operation is not properly bounded. This allows an attacker-controlled COPY offset to cause a heap out-of-bounds read, potentially leaking up to 31 bytes of heap memory as part of object or hash key decoding. This is classified as a CWE-125 (Out-of-bounds Read) vulnerability. No CVSS score or patch information is currently available.
Potential Impact
The vulnerability allows an attacker to cause the decoder to read beyond the intended buffer boundaries on the heap, potentially exposing sensitive memory contents such as class names or hash keys. There is no information about known exploits in the wild. The impact is limited to information disclosure via heap memory reads. No direct code execution or denial of service is described.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider avoiding processing untrusted or crafted input with affected versions of Sereal::Decoder. Monitor vendor channels for updates or patches addressing this vulnerability.
CVE-2026-8796: CWE-125 Out-of-bounds Read in YVES Sereal::Decoder
Description
Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).
CVSS v3.1
Score 8.1high
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability in Sereal::Decoder occurs in the srl_read_object() and srl_read_hash() functions when handling a COPY tag. The decoder re-decodes a back-reference target byte as a fresh tag, and if this byte matches the SHORT_BINARY pattern, the read operation is not properly bounded. This allows an attacker-controlled COPY offset to cause a heap out-of-bounds read, potentially leaking up to 31 bytes of heap memory as part of object or hash key decoding. This is classified as a CWE-125 (Out-of-bounds Read) vulnerability. No CVSS score or patch information is currently available.
Potential Impact
The vulnerability allows an attacker to cause the decoder to read beyond the intended buffer boundaries on the heap, potentially exposing sensitive memory contents such as class names or hash keys. There is no information about known exploits in the wild. The impact is limited to information disclosure via heap memory reads. No direct code execution or denial of service is described.
Mitigation Recommendations
Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. Until an official fix is available, users should consider avoiding processing untrusted or crafted input with affected versions of Sereal::Decoder. Monitor vendor channels for updates or patches addressing this vulnerability.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- CPANSec
- Date Reserved
- 2026-05-18T00:38:16.965Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a1c979ce29bf47b5059146a
Added to database: 5/31/2026, 8:18:36 PM
Last enriched: 5/31/2026, 8:33:27 PM
Last updated: 6/2/2026, 4:58:38 AM
Views: 20
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.