CVE-2026-8796
Heap Out-of-Bounds Read in Sereal::Decoder
Publication date: 2026-05-31
Last updated on: 2026-05-31
Assigner: CPANSec
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| sereal | sereal | to 5.005 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves a heap out-of-bounds read triggered by processing crafted Sereal-encoded data containing malicious COPY tags. Detection would involve identifying such malformed Sereal packets being processed by vulnerable versions of the Sereal::Decoder (before 5.005).
Since the vulnerability is specific to the decoding of Sereal data, detection on a network or system could involve monitoring for suspicious or malformed Sereal packets or logs indicating decoding errors or crashes related to srl_read_object() or srl_read_hash() functions.
No explicit detection commands or tools are provided in the available resources.
Can you explain this vulnerability to me?
CVE-2026-8796 is a security vulnerability in the Sereal data serialization format's decoder component for Perl versions before 5.005. It involves a heap out-of-bounds read caused by processing a specially crafted COPY tag in Sereal-encoded data.
The vulnerability arises because the decoder re-decodes a back-reference COPY tag's target byte as a fresh tag. If this byte matches the SHORT_BINARY pattern (an inline string with length encoded in the tag's low bits), the decoder can read beyond the intended buffer boundary, consuming up to 31 bytes from the heap as class names or hash keys.
This happens because the COPY tag offset can point inside a previously decoded value rather than on a proper tag boundary, allowing an attacker to craft input that causes the decoder to read memory outside the valid input buffer.
How can this vulnerability impact me? :
This vulnerability can lead to heap out-of-bounds reads, which may allow an attacker to read sensitive memory contents beyond the intended buffer.
Such out-of-bounds reads can result in information disclosure, potentially exposing sensitive data processed or stored in memory by the affected application.
While the vulnerability does not directly allow code execution, the leakage of memory contents can aid attackers in further attacks or reconnaissance.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade the Sereal::Decoder to version 5.005 or later, where the vulnerability has been fixed by adding proper bounds checking on COPY tag offsets.
Applying the patch from the official Sereal repository that addresses this issue will prevent heap out-of-bounds reads caused by crafted input.
Additionally, reviewing and updating any systems or applications that decode Sereal data to ensure they use the patched version will reduce exposure.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Sereal::Decoder allows heap out-of-bounds reads which can lead to potential information disclosure by reading memory outside the intended buffer bounds.
Such information disclosure risks could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access or leaks.
However, the provided information does not explicitly discuss or analyze the direct impact of this vulnerability on compliance with these standards.