========================================================================
CVE-2026-5089                                        CPAN Security Group
========================================================================

         CVE ID:  CVE-2026-5089
   Distribution:  YAML-Syck
       Versions:  before 1.38

       MetaCPAN:  https://metacpan.org/dist/YAML-Syck
       VCS Repo:  https://github.com/toddr/YAML-Syck

YAML::Syck versions before 1.38 for Perl has an out-of-bounds read

Description
-----------
YAML::Syck versions before 1.38 for Perl  has an out-of-bounds read.

The base60 (sexagesimal) parsing code in perl_syck.h has a buffer
underflow bug in both int#base60 and float#base60 handlers. When
processing the leftmost segment of a colon-separated value (e.g., the 1
in 1:30:45), the inner while loop can decrement a pointer past the
start of the string buffer:

     while ( colon >= ptr && *colon != ':' )
     {
         colon--;
     }
     if ( *colon == ':' ) *colon = '\0';  // colon may be ptr-1 here

When no colon is found (final/leftmost segment), colon becomes ptr-1,
and the subsequent *colon dereference reads one byte before the
allocated buffer.

Problem types
-------------
- CWE-124 Buffer Underwrite ('Buffer Underflow')

Solutions
---------
Upgrade to YAML::Syck version 1.38 or later.

References
----------
https://metacpan.org/release/TODDR/YAML-Syck-1.38/changes
https://github.com/cpan-authors/YAML-Syck/issues/132
https://github.com/cpan-authors/YAML-Syck/pull/133
https://github.com/cpan-authors/YAML-Syck/commit/208a4d3bd1b5cdb4a791a6e3905bd6bd45e9d005.patch