/ 
Sereal-Decoder-3.000_002
⭐ Starred 413
Security Advisories (1)
CVE-2026-8796 (2026-05-31)

Sereal::Decoder versions before 5.005 for Perl allow heap out-of-bounds read via crafted input. In Perl/Decoder/srl_decoder.c, srl_read_object() and srl_read_hash() process a COPY tag, a back-reference whose target byte the decoder re-decodes as a fresh tag. When that target byte matches the SHORT_BINARY pattern (an inline string whose length is encoded in the low bits of the tag), the resulting read is not bounded to precede the COPY tag's own offset and can run past the end of the input buffer. An attacker controlled COPY offset can land inside a previously decoded value rather than on a tag boundary, planting a byte that the decoder reads as a SHORT_BINARY tag and consuming up to 31 following bytes from the heap as a class name (OBJECT path) or hash key (HASH path).

Changes for version 3.000_002

  • Fixes from v3.000_001, primarily to looks_like_sereal().
  • Doc clarifications, new magic header is forbidden on v1 and v2 documents, and required on v3 and later.
  • Other minor fixes.

Changes for version 3.000_001

  • Upgrade to version 3 of the protocol
    • Add Zlib compression support to the protocol
    • Add Zlib support to Encoder/Decoder
    • Add CANONICAL_UNDEF tag to represent PL_sv_undef
    • Change magic header so it is trivial to detect and reject utf8 encoded Sereal packets.

Modules

Sereal::Decoder
Fast, compact, powerful binary deserialization
Sereal::Performance
Getting the most out of the Perl-Sereal implementation

Provides

Sereal::Decoder::Constants
in lib/Sereal/Decoder/Constants.pm

Other files