In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover.
Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read.
Analysis and contextual insights are available on OpenCVE Cloud.
Vendor Solution
Upgrade to YAML-Syck 1.47 or later.
Tracking
Sign in to view the affected projects.
No advisories yet.
Fri, 17 Jul 2026 13:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Thu, 16 Jul 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Toddr
Toddr yaml::syck |
|
| Vendors & Products |
Toddr
Toddr yaml::syck |
Thu, 16 Jul 2026 22:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len. In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover. Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read. | |
| Title | YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len | |
| Weaknesses | CWE-125 | |
| References |
|
Status: PUBLISHED
Assigner: CPANSec
Published:
Updated: 2026-07-17T13:05:34.286Z
Reserved: 2026-06-23T18:02:32.995Z
Link: CVE-2026-57077
Updated: 2026-07-17T13:05:21.071Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T23:30:07Z