CVE-2026-4177
CriticalCVSS 9.1Exploitation Probability (EPSS)
Low risk34th percentile - higher than 34% of all known CVEs
Summary
The YAML::Syck library up to version 1.36 for Perl contains several potential security vulnerabilities, including a high-severity heap buffer overflow in the YAML emitter. The overflow occurs when class names exceed the initial 512-byte allocation.
Risk Assessment
The risk includes potential remote code execution or application crashes due to heap buffer overflow, as well as memory leaks and corruption of shared node data, which may lead to unpredictable system behavior.
Recommendation
It is recommended to immediately update the YAML::Syck library to the latest available version or migrate to an alternative YAML library such as YAML::XS, which is actively maintained.
Original NVD description (English source)
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

