CVE-2024-14031
Published: 31 March 2026
Summary
CVE-2024-14031 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Yves Sereal\. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).
Deeper analysis
CVE-2024-14031 affects Sereal::Encoder, a Perl module for serializing data, specifically versions from 4.000 through 4.009_002. These versions embed a vulnerable iteration of the Zstandard (zstd) compression library that is susceptible to CVE-2019-11922. The underlying issue is a race condition in zstd's one-pass compression functions prior to version 1.3.8, which can lead to an out-of-bounds write (CWE-787) when an output buffer smaller than the recommended size is provided. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).
Remote attackers without privileges can exploit this vulnerability over the network with high attack complexity and no user interaction required. Exploitation occurs during compression operations if the output buffer is undersized, triggering the race condition and enabling arbitrary byte writes beyond buffer boundaries. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as code execution, data corruption, or denial of service within the affected Perl application using Sereal::Encoder.
Advisories, including the GitHub Security Advisory GHSA-w77f-wv46-4vcx and the release notes for Sereal::Encoder 4.010 on MetaCPAN, recommend updating to version 4.010 or later, which incorporates a patched version of the Zstandard library. Additional details on the root cause are available in the CVE-2019-11922 record on cve.org.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2024-55512
Vulnerability details
Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions…
more
of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote memory corruption (OOB write) in a serialization/compression library directly enables remote exploitation of a network-accessible application for code execution.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires timely patching and updating of the vulnerable Sereal::Encoder module to version 4.010 or later, eliminating the embedded Zstandard race condition.
Enables scanning and monitoring to identify systems with vulnerable Sereal::Encoder versions affected by CVE-2024-14031.
Implements memory protection techniques that mitigate exploitation of the out-of-bounds write triggered by the Zstandard race condition.