CVE-2026-13713
Received Received - Intake

Double Free in YAML::Syck Perl Module

Vulnerability report for CVE-2026-13713, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CPANSec

Description

YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack. In the bundled libsyck, when an anchor name is redefined or removed, syck_hdlr_add_anchor and syck_hdlr_remove_anchor free the node stored under that name with syck_free_node. That node can still be live on the parser's value stack, so syck_hdlr_add_node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yaml syck 1.47

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.
CWE-415 The product calls free() twice on the same memory address.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a use-after-free and double-free issue in YAML::Syck versions before 1.47 for Perl. It occurs when an anchor node is freed while still active on the parser's value stack. If an anchor name is redefined or removed during parsing, the node is freed twice, causing the interpreter to crash. This can be triggered by a small document that redefines an anchor, leading to a denial of service.

Detection Guidance

This vulnerability is specific to the YAML::Syck Perl module and requires parsing a malformed YAML document with redefined anchor names. Detection involves checking for crashes when processing YAML files. No direct network detection commands are applicable.

Impact Analysis

If you process untrusted YAML documents using affected versions of YAML::Syck, an attacker could craft a document that redefines an anchor to crash your Perl interpreter. This results in a denial of service, halting the application or system until manually restarted.

Mitigation Strategies

Upgrade YAML::Syck to version 1.47 or later. Avoid parsing untrusted YAML documents until patched. Review Perl applications using YAML::Syck for exposure to anchor redefinition issues.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-13713. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart