CVE-2026-4177
Published: 16 March 2026
Summary
CVE-2026-4177 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Toddr Yaml\. Its CVSS base score is 9.1 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 6.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates timely remediation of flaws like the heap buffer overflow, memory leak, and corruption in YAML::Syck through patching to version 1.37_01.
Implements memory protections such as DEP and ASLR to minimize impacts of the high-severity heap buffer overflow and related memory corruption issues.
Enables vulnerability scanning to identify and report the presence of vulnerable YAML::Syck versions <=1.36 across systems.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Heap buffer overflow in YAML::Syck emitter (and related memory corruption flaws) permits remote unauthenticated attackers to supply malicious YAML and achieve arbitrary code execution on hosts using the library; this directly enables T1190 against public-facing Perl applications and subsequent command execution via Unix shell (T1059.004).
NVD Description
YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the…
more
buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.
Deeper analysisAI
CVE-2026-4177 affects YAML::Syck versions through 1.36, a Perl module for parsing and emitting YAML data. The vulnerability encompasses multiple issues, with a high-severity heap buffer overflow in the YAML emitter triggered when class names exceed the initial 512-byte allocation. Additional flaws include a base64 decoder reading past the buffer end on trailing newlines, strtok mutating n->type_id in place and corrupting shared node data, and a memory leak in syck_hdlr_add_anchor when a node already has an anchor, leaking the incoming anchor string on early return. These are classified under CWE-122 (Heap-based Buffer Overflow) with a CVSS v3.1 base score of 9.1.
Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Successful exploitation of the heap buffer overflow can lead to high confidentiality and availability impacts, potentially allowing arbitrary code execution, sensitive data disclosure, or denial of service through memory corruption or crashes.
Patches addressing these issues appear in YAML::Syck version 1.37_01, as detailed in the release changes on MetaCPAN, and a specific GitHub commit provides the fix. An announcement on the oss-security mailing list from March 16, 2026, discloses the vulnerabilities and references these mitigations.
Details
- CWE(s)