CVE-2024-14030
Published: 31 March 2026
Summary
CVE-2024-14030 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Yves Sereal\. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2024-14030 affects Sereal::Decoder, a Perl module for deserializing data, specifically versions from 4.000 through 4.009_002. These versions embed a vulnerable version of the Zstandard (zstd) compression library that is susceptible to CVE-2019-11922. The underlying issue is a race condition in zstd's one-pass compression functions prior to version 1.3.8, which can lead to an out-of-bounds write (CWE-787) when an output buffer smaller than the recommended size is used. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H) and was published on 2026-03-31.
A remote, unauthenticated attacker can exploit this vulnerability over the network by triggering the affected compression functions in Sereal::Decoder under race conditions with an undersized output buffer. Successful exploitation could result in high-impact confidentiality, integrity, and availability violations, such as reading sensitive data, modifying memory, or causing denial of service through out-of-bounds writes.
Advisories recommend updating to Sereal::Decoder version 4.010 or later, which addresses the issue by embedding a patched version of the Zstandard library. Relevant resources include the GitHub Security Advisory (GHSA-w77f-wv46-4vcx), the release changes for Sereal-Decoder-4.010 on MetaCPAN, and details on the root cause CVE-2019-11922.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55511
Vulnerability details
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions…
more
of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Network-reachable deserialization module with memory corruption (OOB write) enables remote exploitation of public-facing applications processing untrusted serialized data.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely identification, reporting, and correction of software flaws like the vulnerable Zstandard library in Sereal::Decoder versions 4.000-4.009_002 by updating to 4.010 or later.
Mandates vulnerability scanning and monitoring to identify the presence of CVE-2024-14030 in deployed Sereal::Decoder instances embedding vulnerable Zstandard.
Provides memory protections such as ASLR and DEP to mitigate exploitation of the out-of-bounds write from the Zstandard race condition in Sereal::Decoder.