CVE-2026-5089 Overview
CVE-2026-5089 is an out-of-bounds read vulnerability in YAML::Syck versions before 1.38 for Perl. The flaw resides in the base60 (sexagesimal) parsing code in perl_syck.h, affecting both int#base60 and float#base60 handlers. When the parser processes the leftmost segment of a colon-separated value such as 1:30:45 and no colon is found, an inner while loop decrements a pointer past the start of the allocated string buffer. The subsequent dereference reads one byte before the buffer boundary, producing an out-of-bounds read classified under CWE-124.
Critical Impact
Network-reachable parsing of attacker-controlled YAML containing crafted base60 values can trigger a one-byte out-of-bounds read, potentially leading to information disclosure or process instability.
Affected Products
- YAML::Syck for Perl, all versions prior to 1.38
- Perl applications and CPAN modules that depend on YAML::Syck for YAML deserialization
- Distributions bundling vulnerable YAML::Syck releases through MetaCPAN
Discovery Timeline
- 2026-05-12 - CVE-2026-5089 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-5089
Vulnerability Analysis
The vulnerability is a buffer underflow leading to an out-of-bounds read in the base60 parser used by YAML::Syck. YAML supports a sexagesimal numeric notation where segments are separated by colons, for example 1:30:45 representing 1 hour, 30 minutes, 45 seconds. The parser walks the input from right to left, locating each : separator and converting each segment with strtod. The defect occurs when handling the leftmost segment, where no further colon exists to terminate the search.
Root Cause
In perl_syck.h, the loop condition while ( colon >= ptr && *colon != ':' ) permits colon to reach ptr - 1 because the loop exits only after decrementing past the start. The subsequent line if ( *colon == ':' ) then dereferences colon, reading one byte before the allocated buffer. The fix changes the loop bound to colon > ptr and adds an explicit branch for the no-colon case so that parsing falls back to strtod(ptr, NULL) without reading outside the buffer.
Attack Vector
An attacker supplies a YAML document containing a base60-typed scalar without a colon prefix segment to any Perl service that calls YAML::Syck::Load or related entry points on untrusted input. Because YAML parsing is commonly exposed in web APIs, configuration loaders, and message queues, the attack vector is network reachable and requires no authentication or user interaction.
{
NV bnum = 0;
char *colon = end - 1;
- while ( colon >= ptr && *colon != ':' )
+ while ( colon > ptr && *colon != ':' )
{
colon--;
}
- if ( *colon == ':' ) *colon = '\0';
-
- bnum = strtod( colon + 1, NULL );
+ if ( *colon == ':' ) {
+ *colon = '\0';
+ bnum = strtod( colon + 1, NULL );
+ end = colon;
+ } else {
+ bnum = strtod( ptr, NULL );
+ end = ptr;
+ }
total += bnum * sixty;
sixty *= 60;
- end = colon;
}
Source: GitHub YAML-Syck Patch
Detection Methods for CVE-2026-5089
Indicators of Compromise
- Perl process crashes or unexpected SIGSEGV signals originating in YAML::Syck parsing routines.
- AddressSanitizer or Valgrind reports flagging a 1-byte read before an allocated buffer inside perl_syck.h.
- YAML inputs containing base60 scalars with malformed or single-segment colon-separated values reaching parsers running pre-1.38 versions.
Detection Strategies
- Inventory installed CPAN modules and flag any YAML-Syck version below 1.38 using cpan -D YAML::Syck or distribution package managers.
- Apply static analysis or dependency scanning across source repositories to identify use YAML::Syck imports paired with untrusted YAML ingestion.
- Run fuzz tests against application YAML endpoints using payloads that contain bare base60 values to surface crashes attributable to this defect.
Monitoring Recommendations
- Monitor application logs for parser exceptions, segmentation faults, and abnormal termination of Perl workers handling YAML inputs.
- Track outbound error responses or process restarts on services that deserialize externally supplied YAML payloads.
- Alert on new deployments that pin YAML-Syck to versions earlier than 1.38 in build manifests and lockfiles.
How to Mitigate CVE-2026-5089
Immediate Actions Required
- Upgrade YAML::Syck to version 1.38 or later on every host where the module is installed.
- Audit Perl applications for YAML deserialization paths that accept untrusted input and prioritize patching those services first.
- Rebuild and redeploy container images, packaged applications, and CI artifacts that include the vulnerable module.
Patch Information
The upstream fix is committed in GitHub YAML-Syck Patch 208a4d3 and released in YAML-Syck 1.38. Release notes are available on the MetaCPAN YAML-Syck Changes page, with discussion in GitHub YAML-Syck Issue #132, GitHub YAML-Syck Pull Request #133, and the OpenWall OSS Security Discussion.
Workarounds
- Where upgrading is not immediately feasible, replace YAML::Syck with a maintained alternative such as YAML::XS or YAML::PP for untrusted input parsing.
- Apply strict input validation to reject YAML documents containing base60 scalars before passing data to the parser.
- Restrict YAML deserialization to authenticated, internal callers and run parsing workers under reduced privileges to limit blast radius.
# Upgrade YAML::Syck from CPAN
cpan install YAML::Syck@1.38
# Verify the installed version
perl -MYAML::Syck -e 'print "$YAML::Syck::VERSION\n"'
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
