CVE-2026-9516

Cpanel::JSON::XS versions before 4.41 for Perl allow denial of service via UTF-8 BOM prefixed input when a decode filter callback throws. To skip a leading 3-byte UTF-8 BOM, decode_json() advances the input scalar's string pointer past the mark with SvPV_set() and restores it only on the normal return path. When decoding aborts through a Perl exception, for example a filter_json_object callback that croaks, the restore is skipped and the scalar is left with its string pointer offset into its own buffer and a shortened length. When that scalar is later freed, the allocator receives an invalid pointer and the interpreter aborts. A single BOM prefixed document decoded with a throwing filter callback crashes any caller.

CVSS v3 7.5 HIGH

7.5^/10

CVSS v3 : HIGH

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/rurban/Cpanel-JSON-XS/commit/dfe1b41a36caba51dc12a2917fe50285d1ffaa7b.patch
https://metacpan.org/release/RURBAN/Cpanel-JSON-XS-4.41/changes
http://www.openwall.com/lists/oss-security/2026/06/03/5

Configurations

No configuration.

History

03 Jun 2026, 18:16

Type	Values Removed	Values Added
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 7.5

03 Jun 2026, 11:16

Type	Values Removed	Values Added
References		() http://www.openwall.com/lists/oss-security/2026/06/03/5 -

03 Jun 2026, 01:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-06-03 01:16

Updated : 2026-06-04 15:21

NVD link : CVE-2026-9516

Mitre link : CVE-2026-9516

CVE.ORG link : CVE-2026-9516

JSON object : View

Products Affected

No product.

CWE

CWE-755

Improper Handling of Exceptional Conditions

CWE-763

Release of Invalid Pointer or Reference

7.5 /10