CVE-2026-57076
Received Received - Intake

Heap Use-After-Free in YAML::Syck Perl Module

Vulnerability report for CVE-2026-57076, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: CPANSec

Description

YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syck_strndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes st_delete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-17
AI Q&A
2026-07-17
EPSS Evaluated
N/A
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yaml syck to 1.47 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-416 The product reuses or references memory after it has been freed. At some point afterward, the memory may be allocated again and saved in another pointer, while the original pointer references a location somewhere within the new allocation. Any operations using the original pointer are no longer valid because the memory "belongs" to the code that operates on the new pointer.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a heap use-after-free issue in YAML::Syck versions before 1.47 for Perl. It occurs when an anchor name is reused as a key in the anchors table. The anchor name is stored both as node->anchor and as a key in the parser's anchors table. When the node is freed, the shared key is also freed. Later, redefining the anchor causes the freed key to be compared against, leading to reading freed heap memory.

Detection Guidance

This vulnerability involves a heap use-after-free in YAML::Syck versions before 1.47. Detection requires checking the installed version of YAML::Syck on your system. Use the command 'perl -MYAML::Syck -e "print $YAML::Syck::VERSION"' to verify the version. If the output is less than 1.47, the system is vulnerable.

Impact Analysis

Any application using YAML::Syck versions before 1.47 that processes untrusted YAML documents could be affected. Attackers could exploit this to read freed memory, potentially leading to information disclosure or crashes. This is especially risky for applications that handle user-provided YAML data.

Mitigation Strategies

Immediately update YAML::Syck to version 1.47 or later. Use the command 'cpan YAML::Syck' to upgrade. Avoid processing untrusted YAML documents until the update is applied. If updating is not possible, consider disabling YAML parsing for untrusted inputs as a temporary workaround.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-57076. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart