Fluid Attacks Database

Description

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 14	libyaml-syck-perl	=1.34-2 \|\| =1.34-3 \|\| =1.34-4 \|\| =1.36-1 \|\| >=0 <1.36-2	1.36-2
rpm rhel7	perl-YAML-Syck	-	-
rpm rhel8	perl-YAML-Syck	<0:1.30-6.el8_10	0:1.30-6.el8_10
debian 11	libyaml-syck-perl	=1.34-1 \|\| >=0 <1.34-1+deb11u1	1.34-1+deb11u1
debian 13	libyaml-syck-perl	=1.34-2 \|\| =1.34-2+deb13u1 \|\| >=0 <1.34-2+deb13u2	1.34-2+deb13u2
debian 12	libyaml-syck-perl	=1.34-2 \|\| =1.34-2+deb12u1 \|\| >=0 <1.34-2+deb12u2	1.34-2+deb12u2
rpm rhel6	perl-YAML-Syck	-	-

Aliases

1. CVE-2026-41772. NVD-2026-41773. OSV-DEBIAN-2026-41774. OSV-2026-41775. SECURITY-TRACKER-CVE-2026-4177

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.