CVE-2024-14030
Public on 2026-03-31
Modified on 2026-04-03
Description
Sereal::Decoder versions from 4.000 through 4.009_002 for Perl is vulnerable to a buffer overwrite flaw in the Zstandard library.
Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
Sereal::Decoder embeds a version of the Zstandard (zstd) library that is vulnerable to CVE-2019-11922. This is a race condition in the one-pass compression functions of Zstandard prior to version 1.3.8 could allow an attacker to write bytes out of bounds if an output buffer smaller than the recommended size was used.
CVSS v3 Base Score
See breakdown
Affected Packages
| Platform | Package | Release Date | Advisory | Status |
|---|---|---|---|---|
| Amazon Linux 2 - Core | perl | Not Affected | ||
| Amazon Linux 2023 | perl | Not Affected | ||
| Amazon Linux 2023 | perl-Sereal-Encoder | Not Affected |
CVSS Scores
| Score Type | Score | Vector | |
|---|---|---|---|
| Amazon Linux | CVSSv3 | 8.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |