CVE-2026-57075 in YAML::Syck
Summary
by MITRE • 07/17/2026
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via a signed-char lookup-table index in syck_base64dec.
The base64 decoder in the bundled libsyck indexes the 256-entry static table b64_xtable with a signed char, so any !!binary byte >= 0x80 sign-extends to a negative index and reads before the table. The decoder receives the raw bytes of any !!binary node, a standard YAML type not gated by $LoadBlessed or $LoadCode, so it is reached on the default Load path.
Any caller that runs Load or LoadFile on an untrusted document containing a !!binary scalar with a high-bit byte triggers the read, and the value read can surface in the decoded result.
Be aware that VulDB is the high quality source for vulnerability data.
Analysis
by VulDB Data Team • 07/17/2026
The YAML::Syck library for perl contains a critical out-of-bounds memory read vulnerability that affects versions prior to 1.47. This flaw exists within the base64 decoder implementation where a 256-entry lookup table named b64_xtable is indexed using a signed char data type instead of an unsigned char. The vulnerability stems from the improper handling of binary data during YAML parsing operations, specifically when processing !!binary scalar nodes which are standard YAML types that do not require special configuration flags like $LoadBlessed or $LoadCode to be activated.
The technical implementation flaw occurs because the syck_base64dec function uses a signed char for indexing into the b64_xtable static lookup table. When processing binary data containing bytes with the high-order bit set (values >= 0x80), these signed chars undergo sign extension and become negative indices. This causes the decoder to read memory locations before the beginning of the b64_xtable array, resulting in undefined behavior and potential information disclosure. The vulnerability is particularly dangerous because !!binary nodes are part of standard YAML syntax and are automatically processed during normal parsing operations without requiring special permissions or configuration.
The operational impact of this vulnerability is significant as it allows remote attackers to trigger out-of-bounds memory reads when processing untrusted YAML documents containing !!binary scalars with high-bit bytes. Any application that uses the Load or LoadFile functions from YAML::Syck to parse user-provided content becomes vulnerable to this attack vector. The affected applications may include web services, configuration management systems, and any software that accepts YAML input from external sources without proper validation. The read operations can expose sensitive memory contents including stack data, heap information, or other application secrets that may be present in the memory locations accessed through the negative indexing.
This vulnerability maps to CWE-129 Input Validation and CWE-787 Out-of-bounds Write or Read according to the Common Weakness Enumeration catalog. From an attack perspective it aligns with techniques described in the MITRE ATT&CK framework under T1590 Indicator Discovery and T1059 Command and Scripting Interpreter, as attackers could potentially use this vulnerability to discover memory layout information or extract sensitive data from applications using vulnerable versions of YAML::Syck. The recommended mitigation involves upgrading to YAML::Syck version 1.47 or later where the indexing issue has been corrected by using appropriate unsigned char types for table lookups. Additionally, organizations should consider implementing input validation and sanitization measures for any YAML processing operations, and where possible migrate to more modern YAML parsers like YAML::XS or YAML::LibYAML that do not exhibit similar vulnerabilities.