Review
YVES
CVE published 2026-05-31
CVE-2026-8796
A heap out-of-bounds read vulnerability exists in Sereal::Decoder for Perl versions before 5.005. The flaw resides in the decoder's handling of COPY tags within srl_read_object() and srl_read_hash() in Perl/Decoder/srl_decoder.c. When a COPY tag's target byte is re-decoded and matches the SHORT_BINARY pattern, the resulting read is not properly bounded to precede the COPY tag's own offset. This allows an [truncated]