PT-2026-60588 · Toddr · Yaml::Syck
CVE-2026-13713
·
Published
2026-07-16
·
Updated
2026-07-16
None
No severity ratings or metrics are available. When they are, we'll update the corresponding info on the page.
YAML::Syck versions before 1.47 for Perl allow a use-after-free and double-free via an anchor node freed while still on the parser value stack.
In the bundled libsyck, when an anchor name is redefined or removed, syck hdlr add anchor and syck hdlr remove anchor free the node stored under that name with syck free node. That node can still be live on the parser's value stack, so syck hdlr add node reaches it again and frees it a second time. On a normal build the 48-byte node chunk is freed twice and the interpreter aborts. Anchors need no special flags, so this is reached on the default Load path, and a 7-byte document that redefines an anchor triggers it.
Any caller that runs Load or LoadFile on an untrusted document that redefines an anchor mid-parse crashes the interpreter, a denial of service.
Double Free
Use After Free
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Yaml::Syck