PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-8796 YVES CVE debrief

A heap out-of-bounds read vulnerability exists in Sereal::Decoder for Perl versions before 5.005. The flaw resides in the decoder's handling of COPY tags within srl_read_object() and srl_read_hash() in Perl/Decoder/srl_decoder.c. When a COPY tag's target byte is re-decoded and matches the SHORT_BINARY pattern, the resulting read is not properly bounded to precede the COPY tag's own offset. This allows an attacker-controlled COPY offset to land inside a previously decoded value rather than on a tag boundary, causing the decoder to interpret a planted byte as a SHORT_BINARY tag and consume up to 31 subsequent bytes from heap memory as a class name (OBJECT path) or hash key (HASH path). The vulnerability was addressed in Sereal-Decoder version 5.005.

Vendor
YVES
Product
Sereal::Decoder
CVSS
Unknown
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-31
Original CVE updated
2026-05-31
Advisory published
2026-05-31
Advisory updated
2026-05-31

Who should care

Organizations running Perl applications that deserialize untrusted Sereal-encoded data using Sereal::Decoder versions prior to 5.005 are at risk of information disclosure through heap memory exposure. This particularly affects web applications, APIs, and distributed systems that accept serialized payloads from external sources.

Technical summary

The Sereal binary serialization format for Perl uses a COPY tag as a back-reference to previously decoded data. The vulnerability occurs because the decoder re-decodes the target byte of a COPY tag as a fresh tag without ensuring the resulting read stays within bounds before the COPY tag's own offset. When this re-decoded byte matches the SHORT_BINARY pattern (tag type with inline length in low bits), the decoder can read up to 31 bytes beyond the input buffer boundary. Two code paths are affected: srl_read_object() interprets the out-of-bounds bytes as a class name, while srl_read_hash() interprets them as a hash key. An attacker can craft a malicious Sereal payload with a COPY offset pointing to a non-tag-boundary location within previously decoded data, planting a byte that decodes as SHORT_BINARY and triggering the heap memory disclosure. The fix in version 5.005 adds proper bounds validation to prevent this scenario.

Defensive priority

high

Recommended defensive actions

  • Upgrade Sereal::Decoder to version 5.005 or later to remediate this vulnerability.
  • Validate and sanitize untrusted Sereal-encoded input before decoding, or restrict deserialization to trusted sources only.
  • Monitor application logs for anomalous decoding failures or unexpected memory access patterns that may indicate exploitation attempts.
  • Review applications using Sereal::Decoder for Perl to identify any exposure to untrusted serialized data streams.

Evidence notes

The vulnerability description and affected versions are derived from the official CVE record and NVD source data. The fix is confirmed by the upstream commit patch and release changelog. Vendor attribution to 'YVES' is based on the MetacPAN release metadata with low confidence and requires review.

Official resources

2026-05-31