Cyber Resilience

CVE-2026-8796

HighUpdated

Published: 31 May 2026

Published
31 May 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H
EPSS Score 0.0040 31.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-8796 is a high-severity Out-of-bounds Read (CWE-125) vulnerability. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

EU & UK References

Vulnerability details

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the…

more

SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

OOB read in untrusted Sereal deserialization directly enables remote exploitation of apps using the library (public-facing or client-side).

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42799Shared CWE-125
CVE-2026-22984Shared CWE-125
CVE-2025-1674Shared CWE-125
CVE-2025-55100Shared CWE-125
CVE-2025-24230Shared CWE-125
CVE-2026-3055Shared CWE-125
CVE-2026-41415Shared CWE-125
CVE-2025-48530Shared CWE-125
CVE-2026-34235Shared CWE-125
CVE-2026-4424Shared CWE-125

Affected Assets

Decoder
inferred from references and description; NVD did not file a CPE for this CVE

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References