Cyber Resilience

CVE-2026-4177

CriticalUpdated

Published: 16 March 2026

Published
16 March 2026
Modified
30 June 2026
KEV Added
Patch
CVSS Score v3.1 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H
EPSS Score 0.0050 39.0th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-4177 is a critical-severity Heap-based Buffer Overflow (CWE-122) vulnerability in Toddr Yaml\. Its CVSS base score is 9.1 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 39.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-16 (Memory Protection).

Deeper analysis

CVE-2026-4177 affects YAML::Syck versions through 1.36, a Perl module for parsing and emitting YAML data. The vulnerability encompasses multiple issues, with a high-severity heap buffer overflow in the YAML emitter triggered when class names exceed the initial 512-byte allocation. Additional flaws include a base64 decoder reading past the buffer end on trailing newlines, strtok mutating n->type_id in place and corrupting shared node data, and a memory leak in syck_hdlr_add_anchor when a node already has an anchor, leaking the incoming anchor string on early return. These are classified under CWE-122 (Heap-based Buffer Overflow) with a CVSS v3.1 base score of 9.1.

Remote attackers require no privileges or user interaction to exploit this over the network with low complexity. Successful exploitation of the heap buffer overflow can lead to high confidentiality and availability impacts, potentially allowing arbitrary code execution, sensitive data disclosure, or denial of service through memory corruption or crashes.

Patches addressing these issues appear in YAML::Syck version 1.37_01, as detailed in the release changes on MetaCPAN, and a specific GitHub commit provides the fix. An announcement on the oss-security mailing list from March 16, 2026, discloses the vulnerabilities and references these mitigations.

EU & UK References

Vulnerability details

YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter. The heap overflow occurs when class names exceed the initial 512-byte allocation. The base64 decoder could read past the…

more

buffer end on trailing newlines. strtok mutated n->type_id in place, corrupting shared node data. A memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Heap buffer overflow in YAML::Syck emitter (and related memory corruption flaws) permits remote unauthenticated attackers to supply malicious YAML and achieve arbitrary code execution on hosts using the library; this directly enables T1190 against public-facing Perl applications and subsequent command execution via Unix shell (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2006-10003Same vendor: Toddr
CVE-2006-10002Same vendor: Toddr
CVE-2025-53511Shared CWE-122
CVE-2026-20868Shared CWE-122
CVE-2026-0006Shared CWE-122
CVE-2026-22828Shared CWE-122
CVE-2026-4395Shared CWE-122
CVE-2025-23317Shared CWE-122
CVE-2025-67896Shared CWE-122
CVE-2025-34523Shared CWE-122

Affected Assets

toddr
yaml\
\

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates timely remediation of flaws like the heap buffer overflow, memory leak, and corruption in YAML::Syck through patching to version 1.37_01.

prevent

Implements memory protections such as DEP and ASLR to minimize impacts of the high-severity heap buffer overflow and related memory corruption issues.

detect

Enables vulnerability scanning to identify and report the presence of vulnerable YAML::Syck versions <=1.36 across systems.

References