Cyber Resilience

CVE-2024-14030

High

Published: 31 March 2026

Published
31 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-14030 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Yves Sereal\. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2024-14030 affects Sereal::Decoder, a Perl module for deserializing data, specifically versions from 4.000 through 4.009_002. These versions embed a vulnerable version of the Zstandard (zstd) compression library that is susceptible to CVE-2019-11922. The underlying issue is a race condition in zstd's one-pass compression functions prior to version 1.3.8, which can lead to an out-of-bounds write (CWE-787) when an output buffer smaller than the recommended size is used. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-31.

A remote, unauthenticated attacker can exploit this vulnerability over the network by triggering the affected compression functions in Sereal::Decoder under race conditions with an undersized output buffer. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as reading sensitive data, modifying memory, or causing denial of service through out-of-bounds writes.

Advisories recommend updating to Sereal::Decoder version 4.010 or later, which addresses the issue by embedding a patched version of the Zstandard library. Relevant resources include the GitHub Security Advisory (GHSA-w77f-wv46-4vcx), the release changes for Sereal-Decoder-4.010 on MetaCPAN, and details on the root cause CVE-2019-11922.

EU & UK References

Vulnerability details

Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions…

more

of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Network-reachable deserialization module with memory corruption (OOB write) enables remote exploitation of public-facing applications processing untrusted serialized data.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-14031Same product: Yves Sereal\
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787

Affected Assets

yves
sereal\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely identification, reporting, and correction of software flaws like the vulnerable Zstandard library in Sereal::Decoder versions 4.000-4.009_002 by updating to 4.010 or later.

detect

Mandates vulnerability scanning and monitoring to identify the presence of CVE-2024-14030 in deployed Sereal::Decoder instances embedding vulnerable Zstandard.

prevent

Provides memory protections such as ASLR and DEP to mitigate exploitation of the out-of-bounds write from the Zstandard race condition in Sereal::Decoder.

References