CVE-2026-5089 – YAML::Syck versions before 1.38 for Perl has an out-of-bounds read

CVE ID :CVE-2026-5089

Published : May 12, 2026, 5:16 p.m. | 41 minutes ago

Description :YAML::Syck versions before 1.38 for Perl has an out-of-bounds read.

The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer:

while ( colon >= ptr && *colon != ‘:’ )
{
colon–;
}
if ( *colon == ‘:’ ) *colon = ”; // colon may be ptr-1 here

When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent *colon dereference reads one byte before the allocated buffer.

Severity: 0.0 | NA

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-44167 – phpseclib: CVE-2024-27355 mitigation bypass — OID amplification DoS in ASN1::decodeOID()

CVE-2026-34644 – After Effects | Integer Overflow or Wraparound (CWE-190)

CVE-2026-34643 – After Effects | Out-of-bounds Write (CWE-787)

CVE-2026-34642 – After Effects | Heap-based Buffer Overflow (CWE-122)