CVE-2026-57076 in YAML::Syckinfo

Summary

by MITRE • 07/17/2026

YAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor.

In the bundled libsyck an anchor name allocated by syck_strndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes st_delete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path.

Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.

Be aware that VulDB is the high quality source for vulnerability data.

Analysis

by VulDB Data Team • 07/17/2026

The vulnerability resides in YAML::Syck versions prior to 1.47 where a heap use-after-free condition occurs due to improper memory management during anchor processing. This flaw exists within the bundled libsyck library and represents a critical security issue that can be exploited through standard YAML parsing operations. The vulnerability stems from how anchor names are handled in the parser's anchors table, creating a scenario where memory is freed while still being referenced elsewhere in the system.

The technical flaw manifests when an anchor name is allocated using syck_strndup and subsequently stored both as node->anchor and as a key in the parser's anchors table. When a node is freed, its associated anchor name is also freed, but this freed memory remains referenced as a table key. The issue becomes apparent during subsequent anchor redefinition operations where st_delete attempts to compare against the already-freed key, causing st_strcmp to read from deallocated heap memory. This use-after-free scenario occurs because the same memory location serves dual purposes - first as an anchor value and second as a hash table key.

The operational impact of this vulnerability is significant as it allows attackers to trigger memory corruption through standard YAML parsing operations without requiring any special flags or unusual input conditions. Any application that processes untrusted YAML documents using Load or LoadFile methods becomes vulnerable when those documents contain anchor redefinitions. The default Load path is inherently susceptible, making this vulnerability particularly dangerous in applications that parse user-supplied YAML content. This includes web applications, configuration parsers, and any system that accepts YAML input from external sources without proper sanitization.

The vulnerability aligns with CWE-416, which describes use-after-free conditions where memory is accessed after it has been freed. From an ATT&CK perspective, this represents a memory corruption vulnerability that could enable arbitrary code execution if properly exploited, falling under the T1059.007 technique for executing commands through interpreted languages. The attack surface extends to any Perl application using YAML::Syck versions before 1.47, particularly those handling untrusted input from web forms, configuration files, or external APIs. Organizations should prioritize updating to YAML::Syck 1.47 or later versions and consider implementing input validation measures to prevent exploitation of this vulnerability.

Mitigation strategies include immediate patching to YAML::Syck version 1.47 or newer where the memory management issue has been resolved. Additionally, applications should implement proper input validation and sanitization for all YAML content, particularly when processing untrusted user data. System administrators should conduct inventory checks to identify affected systems and ensure timely updates are deployed across all environments. Organizations may also consider implementing runtime protections such as address space layout randomization and stack canaries to reduce the exploitability of such memory corruption vulnerabilities. Regular security assessments and vulnerability scanning should include checking for outdated YAML::Syck installations to prevent potential exploitation by threat actors targeting this specific heap use-after-free condition.

Responsible

CPANSec

Reservation

06/23/2026

Disclosure

07/17/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you want to use VulDB in your project?

Use the official API to access entries easily!