CVE-2024-14031
Buffer Overflow in Sereal::Encoder's Embedded Zstandard Library
Publication date: 2026-03-31
Last updated on: 2026-04-13
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yves | sereal | From 4.000 (inc) to 4.010 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-787 | The product writes data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects Sereal::Encoder versions 4.000 through 4.009_002 for Perl, which embed a vulnerable version of the Zstandard (zstd) compression library. The flaw is a race condition in the one-pass compression functions of Zstandard versions prior to 1.3.8. This race condition occurs due to improper synchronization when multiple threads access shared resources concurrently.
If an output buffer smaller than the recommended size is used during compression, an attacker could exploit this flaw to write bytes out of bounds, causing a buffer overwrite.
How can this vulnerability impact me? :
Exploitation of this vulnerability can lead to serious security impacts including data corruption, unauthorized data modification, and potential service disruption.
Because the vulnerability allows out-of-bounds writes, it can compromise the confidentiality, integrity, and availability of affected systems.
The vulnerability has a high severity score (CVSS v3 base score of 8.1) and can be exploited remotely without requiring privileges or user interaction, making it a significant risk.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability is due to a race condition in the Zstandard library versions prior to 1.3.8 embedded in Sereal::Encoder versions 4.000 through 4.009_002 for Perl.
To mitigate this vulnerability, you should upgrade the Zstandard library to version 1.3.8 or later where the race condition is fixed.
If upgrading is not immediately possible, avoid using output buffers smaller than the recommended size during compression to reduce the risk of exploitation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability involves a race condition that can lead to out-of-bounds writes, potentially causing data corruption or unauthorized data modification. Such impacts on data integrity and confidentiality could affect compliance with standards like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and alteration.
However, there is no explicit information provided in the available resources about direct effects on compliance with these regulations.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
There is no specific detection method or commands provided in the available information for identifying this vulnerability on your network or system.