CVE-2026-5089

Name of the Vulnerable Software and Affected Versions YAML::Syck versions prior to 1.38

Description An out-of-bounds read exists in the base60 (sexagesimal) parsing code within perl syck.h. Specifically, the int#base60 and float#base60 handlers contain a buffer underflow bug. When processing the leftmost segment of a colon-separated value, an inner while loop can decrement a pointer past the start of the string buffer. If no colon is found, the pointer becomes ptr-1, and the subsequent dereference reads one byte before the allocated buffer.

Recommendations Update to version 1.38 or later.