Cyber Resilience

CVE-2024-14031

High

Published: 31 March 2026

Published
31 March 2026
Modified
13 April 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0036 27.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2024-14031 is a high-severity Out-of-bounds Write (CWE-787) vulnerability in Yves Sereal\. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 27.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and RA-5 (Vulnerability Monitoring and Scanning).

Deeper analysis

CVE-2024-14031 affects Sereal::Encoder, a Perl module for serializing data, specifically versions from 4.000 through 4.009_002. These versions embed a vulnerable iteration of the Zstandard (zstd) compression library that is susceptible to CVE-2019-11922. The underlying issue is a race condition in zstd's one-pass compression functions prior to version 1.3.8, which can lead to an out-of-bounds write (CWE-787) when an output buffer smaller than the recommended size is provided. The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H).

Remote attackers without privileges can exploit this vulnerability over the network with high attack complexity and no user interaction required. Exploitation occurs during compression operations if the output buffer is undersized, triggering the race condition and enabling arbitrary byte writes beyond buffer boundaries. Successful exploitation could result in high confidentiality, integrity, and availability impacts, such as code execution, data corruption, or denial of service within the affected Perl application using Sereal::Encoder.

Advisories, including the GitHub Security Advisory GHSA-w77f-wv46-4vcx and the release notes for Sereal::Encoder 4.010 on MetaCPAN, recommend updating to version 4.010 or later, which incorporates a patched version of the Zstandard library. Additional details on the root cause are available in the CVE-2019-11922 record on cve.org.

EU & UK References

Vulnerability details

Sereal::Encoder versions from 4.000 through 4.009_002 for Perl embeds a vulnerable version of the Zstandard library. Sereal::Encoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions…

more

of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Remote memory corruption (OOB write) in a serialization/compression library directly enables remote exploitation of a network-accessible application for code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-14030Same product: Yves Sereal\
CVE-2025-27807Shared CWE-787
CVE-2024-48856Shared CWE-787
CVE-2025-14234Shared CWE-787
CVE-2018-25223Shared CWE-787
CVE-2018-25154Shared CWE-787
CVE-2024-57704Shared CWE-787
CVE-2025-29384Shared CWE-787
CVE-2024-12648Shared CWE-787
CVE-2025-30276Shared CWE-787

Affected Assets

yves
sereal\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely patching and updating of the vulnerable Sereal::Encoder module to version 4.010 or later, eliminating the embedded Zstandard race condition.

detect

Enables scanning and monitoring to identify systems with vulnerable Sereal::Encoder versions affected by CVE-2024-14031.

prevent

Implements memory protection techniques that mitigate exploitation of the out-of-bounds write triggered by the Zstandard race condition.

References