PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-57075 TODDR CVE debrief

CVE-2026-57075 is an out-of-bounds read vulnerability in YAML::Syck versions before 1.47 for Perl. The base64 decoder in the bundled libsyck indexes a 256-entry static table with a signed char, allowing any !!binary byte >= 0x80 to sign-extend to a negative index and read before the table. This issue is triggered when Load or LoadFile is run on an untrusted document containing a !!binary scalar with a high-bit byte. The vulnerability has a high impact and should be addressed promptly.

Vendor
TODDR
Product
YAML::Syck
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-07-16
Original CVE updated
2026-07-17
Advisory published
2026-07-16
Advisory updated
2026-07-17

Who should care

Users of YAML::Syck versions before 1.47 for Perl should be aware of this vulnerability, especially those who handle untrusted YAML documents. This includes developers, security teams, and operators who work with YAML files. They should review the vulnerability details and plan for updates or mitigations.

Technical summary

The vulnerability lies in the syck_base64dec function, which uses a signed char to index a 256-entry static table. When a !!binary byte >= 0x80 is encountered, it sign-extends to a negative index, causing an out-of-bounds read. This can be triggered by loading an untrusted YAML document containing a !!binary scalar with a high-bit byte using Load or LoadFile. The issue affects YAML::Syck versions before 1.47 for Perl.

Defensive priority

High priority should be given to updating YAML::Syck to version 1.47 or later, as this vulnerability can be exploited by loading malicious YAML documents.

Recommended defensive actions

  • Update YAML::Syck to version 1.47 or later
  • Validate and sanitize all YAML input
  • Use secure YAML loading mechanisms
  • Review compensating controls for exposed systems while remediation is scheduled and verified
  • Check relevant monitoring, detection, and logs for exposed assets that need extra review
  • Track exceptions, retest remediated assets, and close the item only after evidence is documented
  • Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up

Evidence notes

The CVE record was published on 2026-07-16T22:17:43.447Z and has not been modified since then. The NVD entry is currently in the 'Received' status. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The base64 decoder in the bundled libsyck indexes a 256-entry static table with a signed char, allowing any !!binary byte >= 0x80 to sign-extend to a negative index and read before the table.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T22:17:43.447Z and has not been modified since then.