CVE-2026-8796

Severity CVSS v4.0:

Pending analysis

Type:

CWE-125 Out-of-bounds Read

Publication date:

31/05/2026

Last modified:

01/06/2026

Description

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input.<br /> <br /> In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag&#39;s own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).

Impact

References to Advisories, Solutions, and Tools

https://github.com/Sereal/Sereal/commit/303a2c69cdba80bf37a3ff43461e0aa78198a7a3.patch
https://metacpan.org/release/YVES/Sereal-Decoder-5.005/changes
http://www.openwall.com/lists/oss-security/2026/06/01/1