Fluid Attacks Database

Description

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && *colon != ':' ) { colon--; } if ( *colon == ':' ) *colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 13	libyaml-syck-perl	=1.34-2 \|\| =1.34-2+deb13u1 \|\| =1.34-2+deb13u2 \|\| =1.34-3 \|\| =1.34-4 \|\| =1.36-1 \|\| =1.36-2 \|\| =1.36-3	-
debian 11	libyaml-syck-perl	=1.34-1 \|\| =1.34-1+deb11u1 \|\| =1.34-2 \|\| =1.34-3 \|\| =1.34-4 \|\| =1.36-1 \|\| =1.36-2 \|\| =1.36-3	-
debian 12	libyaml-syck-perl	=1.34-2 \|\| =1.34-2+deb12u1 \|\| =1.34-2+deb12u2 \|\| =1.34-3 \|\| =1.34-4 \|\| =1.36-1 \|\| =1.36-2 \|\| =1.36-3	-
debian 14	libyaml-syck-perl	=1.34-2 \|\| =1.34-3 \|\| =1.34-4 \|\| =1.36-1 \|\| =1.36-2 \|\| >=0 <1.36-3	1.36-3
rpm rhel6	perl-YAML-Syck	-	-
rpm rhel8	perl-YAML-Syck	-	-

Aliases

1. CVE-2026-50892. NVD-2026-50893. OSV-DEBIAN-2026-50894. OSV-2026-50895. SECURITY-TRACKER-CVE-2026-5089

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.