CVE-2026-57076

NameCVE-2026-57076
DescriptionYAML::Syck versions before 1.47 for Perl allow a heap use-after-free via an anchor name reused as an anchors-table key in syck_hdlr_add_anchor. In the bundled libsyck an anchor name allocated by syck_strndup is stored both as node->anchor, freed when the node is freed, and as the key in the parser's anchors table. Freeing the node frees the shared key, and a later anchor redefinition makes st_delete compare against the freed key, so st_strcmp reads freed heap memory. Anchors are a standard YAML feature and need no special flags, so this is reached on the default Load path. Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor reaches the read of freed memory.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1142267

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
libyaml-syck-perl (PTS)bullseye1.34-1vulnerable
bullseye (security)1.34-1+deb11u1vulnerable
bookworm, bookworm (security)1.34-2+deb12u2vulnerable
trixie (security), trixie1.34-2+deb13u2vulnerable
forky1.36-3vulnerable
sid1.47-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
libyaml-syck-perlsource(unstable)(unfixed)1142267

Notes

https://www.openwall.com/lists/oss-security/2026/07/17/3
Fixed by: https://github.com/toddr/YAML-Syck/commit/44c90a109ec3215ee7ce747bd11209835e123d8b (1.47)

Search for package or bug name: Reporting problems