CVE-2026-57076

Source
https://cve.org/CVERecord?id=CVE-2026-57076
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57076.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-57076
Downstream
Related
Published
2026-07-16T21:40:59.686Z
Modified
2026-07-19T03:31:10.306476880Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor
Details

YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syckhdlradd_anchor.

In the bundled libsyck an anchor name allocated by syckstrndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes stdelete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path.

Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.

Database specific
{
    "cwe_ids": [
        "CWE-416"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/57xxx/CVE-2026-57076.json",
    "cna_assigner": "CPANSec"
}
References

Affected packages

Git / github.com/cpan-authors/YAML-Syck

Affected ranges

Type
GIT
Repo
https://github.com/cpan-authors/YAML-Syck
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.47"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.01
0.02
0.03
0.04
0.05
0.06
0.07
0.08
0.09
0.10
0.11
0.12
0.13
0.14
0.15
0.16
0.17
0.18
0.19
0.20
0.21
0.22
0.23
0.24
0.25
0.26
0.27
0.28
0.29
0.30
0.31
0.32
0.33
0.34
0.35
0.36
0.37
0.38
0.40
0.41
0.42
0.43
0.44
0.45
0.46_01
0.60
0.61
0.62
0.63
0.64
0.65
0.66
0.67
0.70
0.71
0.72
0.80
0.81
0.82
0.84
0.85
0.86
0.87
0.88
0.90
0.91
0.94
0.95
0.96
0.97
0.98
0.99
1.*
1.00
1.01
1.02
1.03
1.04
1.05
1.07
1.07_01
1.08
1.08_01
1.09
1.10
1.10_01
1.10_02
1.10_03
1.10_04
1.10_05
1.10_06
1.10_07
1.11
1.12
1.13
1.14
1.15
1.20
1.21_01
1.22
1.23
1.24_01
1.24_02
1.26
1.27
1.28
1.28_01
1.29_01
1.30
1.30_01
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.37_01
1.38
1.39
1.41
1.42
1.43
1.44
1.45
1.46
v1.*
v1.28
v1.28_01
v1.29_01
v1.30
v1.30_01
v1.31
v1.32
v1.33
v1.34
v1.35
v1.36

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-57076.json"