CVE-2024-14031
Received Received - Intake
Buffer Overflow in Sereal::Encoder's Embedded Zstandard Library

Publication date: 2026-03-31

Last updated on: 2026-04-13

Assigner: CPANSec

Description
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-31
Last Modified
2026-04-13
Generated
2026-06-16
AI Q&A
2026-03-31
EPSS Evaluated
2026-06-14
NVD
CVE-2024-14031
EUVD
EUVD-2024-55512
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yves sereal From 4.000 (inc) to 4.010 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-787 The product writes data past the end, or before the beginning, of the intended buffer.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability affects Sereal::Encoder versions 4.000 through 4.009_002 for Perl, which embed a vulnerable version of the Zstandard (zstd) compression library. The flaw is a race condition in the one-pass compression functions of Zstandard versions prior to 1.3.8. This race condition occurs due to improper synchronization when multiple threads access shared resources concurrently.

If an output buffer smaller than the recommended size is used during compression, an attacker could exploit this flaw to write bytes out of bounds, causing a buffer overwrite.

Impact Analysis

Exploitation of this vulnerability can lead to serious security impacts including data corruption, unauthorized data modification, and potential service disruption.

Because the vulnerability allows out-of-bounds writes, it can compromise the confidentiality, integrity, and availability of affected systems.

The vulnerability has a high severity score (CVSS v3 base score of 8.1) and can be exploited remotely without requiring privileges or user interaction, making it a significant risk.

Mitigation Strategies

The vulnerability is due to a race condition in the Zstandard library versions prior to 1.3.8 embedded in Sereal::Encoder versions 4.000 through 4.009_002 for Perl.

To mitigate this vulnerability, you should upgrade the Zstandard library to version 1.3.8 or later where the race condition is fixed.

If upgrading is not immediately possible, avoid using output buffers smaller than the recommended size during compression to reduce the risk of exploitation.

Compliance Impact

The vulnerability involves a race condition that can lead to out-of-bounds writes, potentially causing data corruption or unauthorized data modification. Such impacts on data integrity and confidentiality could affect compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and alteration.

However, there is no explicit information provided in the available resources about direct effects on compliance with these regulations.

Detection Guidance

There is no specific detection method or commands provided in the available information for identifying this vulnerability on your network or system.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2024-14031. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart