DEBIAN-CVE-2026-4177

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2026-4177
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4177.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2026-4177
Upstream
Downstream
Published
2026-03-16T23:16:21.543Z
Modified
2026-03-22T23:00:10.202580Z
Severity
  • 9.1 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H CVSS Calculator
Summary
[none]
Details

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the buffer end on trailing newlines. strtok mutated n->typeid in place, corrupting shared node data. A memory leak occurred in syckhdlraddanchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

References

Affected packages

Debian:11 / libyaml-syck-perl

Package

Name
libyaml-syck-perl
Purl
pkg:deb/debian/libyaml-syck-perl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

1.*
1.34-1
1.34-2
1.34-3
1.34-4
1.36-1
1.36-2

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4177.json"

Debian:12 / libyaml-syck-perl

Package

Name
libyaml-syck-perl
Purl
pkg:deb/debian/libyaml-syck-perl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.34-2+deb12u2

Affected versions

1.*
1.34-2
1.34-2+deb12u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4177.json"

Debian:13 / libyaml-syck-perl

Package

Name
libyaml-syck-perl
Purl
pkg:deb/debian/libyaml-syck-perl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.34-2+deb13u2

Affected versions

1.*
1.34-2
1.34-2+deb13u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4177.json"

Debian:14 / libyaml-syck-perl

Package

Name
libyaml-syck-perl
Purl
pkg:deb/debian/libyaml-syck-perl?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.36-2

Affected versions

1.*
1.34-2
1.34-3
1.34-4
1.36-1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Database specific

source 
"https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2026-4177.json"