CVE-2026-5089

Name	CVE-2026-5089
Description	YAML::Syck versions before 1.38 for Perl has an out-of-bounds read. The base60 (sexagesimal) parsing code in perl_syck.h has a buffer underflow bug in both int#base60 and float#base60 handlers. When processing the leftmost segment of a colon-separated value (e.g., the 1 in 1:30:45), the inner while loop can decrement a pointer past the start of the string buffer: while ( colon >= ptr && colon != ':' ) { colon--; } if ( colon == ':' ) colon = '\0'; // colon may be ptr-1 here When no colon is found (final/leftmost segment), colon becomes ptr-1, and the subsequent colon dereference reads one byte before the allocated buffer.
Source	CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
libyaml-syck-perl (PTS)	bullseye	1.34-1	vulnerable
	bullseye (security)	1.34-1+deb11u1	vulnerable
	bookworm, bookworm (security)	1.34-2+deb12u2	vulnerable
	trixie (security), trixie	1.34-2+deb13u2	vulnerable
	forky, sid	1.36-3	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
libyaml-syck-perl	source	(unstable)	1.36-3

Notes

[trixie] - libyaml-syck-perl <no-dsa> (Minor issue)
[bookworm] - libyaml-syck-perl <no-dsa> (Minor issue)
[bullseye] - libyaml-syck-perl <postponed> (Minor issue, limited OOB read)
https://lists.security.metacpan.org/cve-announce/msg/39981051/
https://github.com/cpan-authors/YAML-Syck/issues/132
https://github.com/cpan-authors/YAML-Syck/pull/133
Fixed by: https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005 (1.38)