HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-8796Published Modified CNA CPANSec

CVE-2026-8796: Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
5.005
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A heap out-of-bounds read vulnerability affects Sereal::Decoder for Perl in versions before 5.005. The flaw is reachable over the network without authentication, but requires a user or service to process attacker-supplied Sereal-encoded input. Successful exploitation lets an attacker read up to 31 bytes of heap memory beyond the input buffer, exposing sensitive in-process data, and can also crash the decoder process. A patched-image rebuild at version 5.005 is available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Sereal::Decoder as a Perl dependency. Any image layer containing a Sereal::Decoder release below 5.005 will be flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and is capable of weighting it further against each customer environment's compliance policy, for example flagging it at elevated priority in environments that process untrusted serialized data. Routed alerts can be directed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

A patched-image rebuild at Sereal::Decoder 5.005 becomes available for scanning and deployment once the upstream fix is confirmed in the advisory feed. For customers who opt into auto-remediation, HarborGuard is capable of triggering an image rebuild, running a regression test suite against the updated image, and opening a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The decoder must be exposed to attacker-supplied input arriving over the network, meaning the service processing Sereal data must be reachable remotely.

  • AuthenticationNot required

    No credentials or account are required; the attacker only needs to deliver crafted Sereal-encoded bytes to the target service.

  • Victim interactionRequired

    A user or service process must actively decode the attacker-crafted Sereal payload, making this a social-engineering or supply-chain vector where the victim processes malicious input.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of memory layout beyond constructing a valid COPY offset.

Blast Radius

  • Reads up to 31 contiguous bytes of heap memory past the end of the input buffer, which may include in-memory strings such as session tokens, decryption keys, or other recently allocated Perl scalars.
  • Exposes decoded hash keys or object class names from earlier allocations on the heap, potentially leaking application-internal data structures to the attacker.
  • Crashes the Sereal::Decoder process when the out-of-bounds read crosses an unmapped memory page, causing denial of service for any service that depends on Sereal deserialization.

How HarborGuard Handles This

Available on HarborGuard: any image containing Sereal::Decoder below 5.005 is detectable at scan time, with findings surfaced at HIGH severity (CVSS 8.1) and routable to the owning team. Where compliance policy permits, a rebuilt image pinned to Sereal::Decoder 5.005 becomes available as soon as the upstream package is confirmed fixed. For customers who opt into auto-remediation, HarborGuard is capable of executing the full rebuild-and-PR flow, including a regression test run, with a median time from CVE publication to merged patch PR of around 90 minutes for HIGH-severity issues in enabled environments. Until a rebuild is deployed, compensating controls worth considering include input validation or size limits on Sereal payloads at the application boundary, network-policy rules that restrict which services can submit serialized data to the decoder, and egress filtering on containers running the decoder to limit what an attacker can do with any leaked heap content.

See how HarborGuard automates this

Fix available

5.005
Patch commits
Affected packages
  • YVES / Sereal::Decoder
    < 5.005 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
References