CVE-2024-14030
Buffer Overflow in Sereal::Decoder's Zstandard Library Causes Memory Corruption
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yves | sereal | From 4.000 (inc) to 4.010 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Sereal::Decoder versions 4.000 through 4.009_002 for Perl, which embeds a version of the Zstandard (zstd) library that is itself vulnerable to CVE-2019-11922.
This vulnerability is a buffer overwrite flaw caused by a race condition in the one-pass compression functions of Zstandard versions prior to 1.3.8.
An attacker could exploit this flaw by causing the program to write bytes outside the bounds of an output buffer if the buffer used is smaller than the recommended size.
How can this vulnerability impact me? :
This vulnerability can lead to a buffer overwrite, which may cause unpredictable behavior such as application crashes, data corruption, or potentially allow an attacker to execute arbitrary code.
The impact depends on how the vulnerable Sereal::Decoder is used in your environment and whether an attacker can supply crafted input to trigger the flaw.