CVE-2026-57077 in YAML::Syck
Summary
by MITRE • 07/17/2026
YAML::Syck versions before 1.47 for Perl allow an out-of-bounds read via an unbounded newline scan in newline_len.
In the bundled libsyck newline_len and is_newline dereference the scan pointer, and the following byte for a "\r\n" pair, with no NUL-terminator or bounds check. During block-scalar lexing at a document boundary the scan runs one byte past the heap lexer buffer. This is an incomplete fix of CVE-2025-11683, on a lexer path the earlier fix did not cover.
Any caller that runs Load or LoadFile on an untrusted document with a block scalar at a document boundary reaches the over-read.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/17/2026
The YAML::Syck library for perl contains a critical out-of-bounds read vulnerability affecting versions prior to 1.47. This flaw exists within the newline_len function which processes newline characters during lexical analysis of yaml documents. The vulnerability stems from an unbounded scan operation that does not properly validate buffer boundaries when processing "\r\n" character sequences. During block-scalar lexing operations, particularly at document boundaries, the scanner advances beyond the allocated heap buffer limits without proper bounds checking mechanisms.
The technical implementation of this vulnerability occurs in the libsyck library's lexical analysis component where the newline_len function directly dereferences a scan pointer and examines subsequent bytes to identify newline patterns. When processing block scalars at document edges, the scanner continues past the valid buffer boundaries, potentially reading one byte beyond the heap-allocated lexer buffer. This behavior creates an incomplete fix for a previously identified vulnerability CVE-2025-11683, as the remediation only addressed certain code paths while leaving others unprotected. The lack of null termination checking and boundary validation allows attackers to craft malicious yaml documents that trigger this over-read condition.
The operational impact of this vulnerability is significant as any application utilizing the Load or LoadFile functions with untrusted yaml input becomes susceptible to information disclosure through memory read operations. An attacker can construct a carefully crafted yaml document containing block scalars at document boundaries, causing the vulnerable library to access memory beyond the intended buffer limits. This over-read may expose sensitive data from adjacent memory regions including stack contents, heap metadata, or other process memory segments. The vulnerability represents a classic buffer over-read issue that aligns with CWE-125 and can potentially be leveraged in information disclosure attacks according to ATT&CK technique T1005.
Mitigation strategies should prioritize immediate upgrading to YAML::Syck version 1.47 or later where the bounds checking has been properly implemented. Organizations should also consider implementing input validation and sanitization measures for yaml documents before processing, particularly when handling untrusted content from external sources. Additional defensive programming practices including buffer boundary checks, null termination verification, and proper memory management should be enforced throughout applications using this library. The vulnerability demonstrates the importance of comprehensive security testing across all code paths in lexical analysis components and highlights the need for robust bounds checking mechanisms in parsing libraries that handle untrusted input data according to industry best practices outlined in secure coding standards.